Windows Analysis Report
fdsN8iw6WG.exe

Overview

General Information

Sample name: fdsN8iw6WG.exe
renamed because original name is a hash value
Original sample name: 6fb0f1b7e1e962c770ef34e605d1c4ce.exe
Analysis ID: 1526016
MD5: 6fb0f1b7e1e962c770ef34e605d1c4ce
SHA1: a314d67a1383ba7042b9f5f1d513f4d9177dff35
SHA256: 32058aa91a7e956ae9b48f8ef08ed82c35063d4443d018369c45822da3c9ba03
Tags: DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Drops PE files to the user root directory
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: fdsN8iw6WG.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\V10Cviyryl.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files\Microsoft\sihost.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Found malware configuration
Source: 00000000.00000002.2282454452.000000001306D000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: DCRat {"C2 url": "http://703648cm.newnyash.top/providerpollpacketdefaultDbasyncTrafficDatalifeDle", "MUTEX": "DCR_MUTEX-YUXnB7xicRhpuDINWn5Y", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
Multi AV Scanner detection for dropped file
Source: C:\Program Files\Microsoft\sihost.exe ReversingLabs: Detection: 73%
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe ReversingLabs: Detection: 73%
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe ReversingLabs: Detection: 73%
Source: C:\Users\user\Desktop\iMBUyFOh.log ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\nASSbBeV.log ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\qcbjycVR.log ReversingLabs: Detection: 29%
Source: C:\Users\user\dEhCbXEAIUCUplvbdoWVtmGx.exe ReversingLabs: Detection: 73%
Multi AV Scanner detection for submitted file
Source: fdsN8iw6WG.exe ReversingLabs: Detection: 73%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Joe Sandbox ML: detected
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Joe Sandbox ML: detected
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft\sihost.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: fdsN8iw6WG.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: fdsN8iw6WG.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Directory created: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Directory created: C:\Program Files\Windows Portable Devices\9e0136ccaf7772 Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Directory created: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Directory created: C:\Program Files\Windows Sidebar\Shared Gadgets\9e8d7a4ca61bd9 Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Directory created: C:\Program Files\Microsoft\sihost.exe Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Directory created: C:\Program Files\Microsoft\66fc9ff0ee96c2 Jump to behavior
Source: fdsN8iw6WG.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: yXT9UKQtlxtUx0jY65A.pdbekNQTGLIDcuiPehd+XZZKKCwsBQHivX0eK9u+xtYxp3wyQQVngc4yE9B`1[[System.Object, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]][] source: fdsN8iw6WG.exe, RuntimeBroker.exe.0.dr, dEhCbXEAIUCUplvbdoWVtmGx.exe0.0.dr, dEhCbXEAIUCUplvbdoWVtmGx.exe.0.dr, sihost.exe.0.dr
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\khjlbg4u\khjlbg4u.pdb source: fdsN8iw6WG.exe, 00000000.00000002.2260614296.00000000037A7000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\diacazft\diacazft.pdb source: fdsN8iw6WG.exe, 00000000.00000002.2260614296.00000000037A7000.00000004.00000800.00020000.00000000.sdmp

Spreading
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe System file written: C:\Windows\System32\SecurityHealthSystray.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49889 -> 37.44.238.250:80
Source: Network traffic Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49978 -> 37.44.238.250:80
Source: Network traffic Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49979 -> 37.44.238.250:80
Source: Network traffic Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49980 -> 37.44.238.250:80
Source: Network traffic Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49982 -> 37.44.238.250:80
Source: Network traffic Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49983 -> 37.44.238.250:80
Source: Network traffic Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49981 -> 37.44.238.250:80
Source: Network traffic Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49977 -> 37.44.238.250:80
Source: Network traffic Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49985 -> 37.44.238.250:80
Source: Network traffic Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49984 -> 37.44.238.250:80
Source: Network traffic Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49986 -> 37.44.238.250:80
Source: Network traffic Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49954 -> 37.44.238.250:80
Source: powershell.exe, 00000028.00000002.2751449420.00000284C8C7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000001E.00000002.2715540404.0000020500228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2732238636.000002090C107000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2714667755.000002568022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2739841439.0000021885549000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2738740643.0000014189D9C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2751449420.00000284C8C7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: fdsN8iw6WG.exe, 00000000.00000002.2260614296.00000000037A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2715540404.0000020500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2732238636.000002090BEE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2714667755.0000025680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2739841439.0000021885321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2738740643.0000014189A61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2751449420.00000284C8A51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000001E.00000002.2715540404.0000020500228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2732238636.000002090C107000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2714667755.000002568022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2739841439.0000021885549000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2738740643.0000014189D9C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2751449420.00000284C8C7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000028.00000002.2751449420.00000284C8C7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000028.00000002.2714928586.00000284C6A97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: powershell.exe, 0000001E.00000002.2715540404.0000020500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2732238636.000002090BEE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2714667755.0000025680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2739841439.0000021885321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2738740643.0000014189A61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2751449420.00000284C8A51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000028.00000002.2751449420.00000284C8C7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Creates files inside the system directory
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: c:\Windows\System32\CSC8295EB2BCC8D4700AEF6D1253A133871.TMP Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: c:\Windows\System32\SecurityHealthSystray.exe Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File deleted: C:\Windows\System32\CSC8295EB2BCC8D4700AEF6D1253A133871.TMP Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 0_2_00007FF848E90D70 0_2_00007FF848E90D70
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 0_2_00007FF8492994DF 0_2_00007FF8492994DF
Source: C:\Program Files\Microsoft\sihost.exe Code function: 8_2_00007FF848E60D70 8_2_00007FF848E60D70
Source: C:\Program Files\Microsoft\sihost.exe Code function: 9_2_00007FF848E80D70 9_2_00007FF848E80D70
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 16_2_00007FF848E90D70 16_2_00007FF848E90D70
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 16_2_00007FF848EA07B6 16_2_00007FF848EA07B6
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 16_2_00007FF848EA0000 16_2_00007FF848EA0000
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 16_2_00007FF848EC0D31 16_2_00007FF848EC0D31
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 16_2_00007FF848EC0D65 16_2_00007FF848EC0D65
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 16_2_00007FF848EC96BE 16_2_00007FF848EC96BE
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 16_2_00007FF848ECD3DC 16_2_00007FF848ECD3DC
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 16_2_00007FF848EA13EA 16_2_00007FF848EA13EA
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 33_2_00007FF848E50D70 33_2_00007FF848E50D70
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 39_2_00007FF848E90D70 39_2_00007FF848E90D70
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 39_2_00007FF848EA07B6 39_2_00007FF848EA07B6
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 39_2_00007FF848EA0000 39_2_00007FF848EA0000
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 39_2_00007FF848EC0D31 39_2_00007FF848EC0D31
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 39_2_00007FF848EC0D65 39_2_00007FF848EC0D65
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 39_2_00007FF848EC96BE 39_2_00007FF848EC96BE
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 39_2_00007FF848ECD3DC 39_2_00007FF848ECD3DC
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 39_2_00007FF848EA13EA 39_2_00007FF848EA13EA
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 44_2_00007FF848EB0D31 44_2_00007FF848EB0D31
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 44_2_00007FF848EB0D65 44_2_00007FF848EB0D65
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 44_2_00007FF848EB96BE 44_2_00007FF848EB96BE
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 44_2_00007FF848EBD3DC 44_2_00007FF848EBD3DC
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 44_2_00007FF848E80D70 44_2_00007FF848E80D70
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 44_2_00007FF848E907B6 44_2_00007FF848E907B6
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 44_2_00007FF848E90000 44_2_00007FF848E90000
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 44_2_00007FF848E913EA 44_2_00007FF848E913EA
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Code function: 45_2_00007FF848E90D65 45_2_00007FF848E90D65
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Code function: 45_2_00007FF848E996BE 45_2_00007FF848E996BE
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Code function: 45_2_00007FF848E9D3DC 45_2_00007FF848E9D3DC
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Code function: 45_2_00007FF848E60D70 45_2_00007FF848E60D70
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Code function: 45_2_00007FF848E707B6 45_2_00007FF848E707B6
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Code function: 45_2_00007FF848E70000 45_2_00007FF848E70000
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Code function: 45_2_00007FF848E713EA 45_2_00007FF848E713EA
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Code function: 46_2_00007FF848EB0D31 46_2_00007FF848EB0D31
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Code function: 46_2_00007FF848EB0D65 46_2_00007FF848EB0D65
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Code function: 46_2_00007FF848EB96BE 46_2_00007FF848EB96BE
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Code function: 46_2_00007FF848EBD3DC 46_2_00007FF848EBD3DC
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Code function: 46_2_00007FF848E907B6 46_2_00007FF848E907B6
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Code function: 46_2_00007FF848E90000 46_2_00007FF848E90000
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Code function: 46_2_00007FF848E80D70 46_2_00007FF848E80D70
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Code function: 46_2_00007FF848E80872 46_2_00007FF848E80872
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Code function: 46_2_00007FF848E913EA 46_2_00007FF848E913EA
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 52_2_00007FF848E907B6 52_2_00007FF848E907B6
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 52_2_00007FF848E90000 52_2_00007FF848E90000
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 52_2_00007FF848EB0D31 52_2_00007FF848EB0D31
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 52_2_00007FF848EB0D65 52_2_00007FF848EB0D65
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 52_2_00007FF848EB96BE 52_2_00007FF848EB96BE
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 52_2_00007FF848EBD3DC 52_2_00007FF848EBD3DC
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 52_2_00007FF848E80D70 52_2_00007FF848E80D70
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 52_2_00007FF848E913EA 52_2_00007FF848E913EA
Source: C:\Program Files\Microsoft\sihost.exe Code function: 53_2_00007FF848E707B6 53_2_00007FF848E707B6
Source: C:\Program Files\Microsoft\sihost.exe Code function: 53_2_00007FF848E70000 53_2_00007FF848E70000
Source: C:\Program Files\Microsoft\sihost.exe Code function: 53_2_00007FF848E60D70 53_2_00007FF848E60D70
Source: C:\Program Files\Microsoft\sihost.exe Code function: 53_2_00007FF848E90D65 53_2_00007FF848E90D65
Source: C:\Program Files\Microsoft\sihost.exe Code function: 53_2_00007FF848E996BE 53_2_00007FF848E996BE
Source: C:\Program Files\Microsoft\sihost.exe Code function: 53_2_00007FF848E9D3DC 53_2_00007FF848E9D3DC
Source: C:\Program Files\Microsoft\sihost.exe Code function: 53_2_00007FF848E713EA 53_2_00007FF848E713EA
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 54_2_00007FF848E90D70 54_2_00007FF848E90D70
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 54_2_00007FF848EC0D31 54_2_00007FF848EC0D31
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 54_2_00007FF848EC0D65 54_2_00007FF848EC0D65
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 54_2_00007FF848EC96BE 54_2_00007FF848EC96BE
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 54_2_00007FF848ECD3DC 54_2_00007FF848ECD3DC
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 54_2_00007FF848EA07B6 54_2_00007FF848EA07B6
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 54_2_00007FF848EA0000 54_2_00007FF848EA0000
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 54_2_00007FF848EA13EA 54_2_00007FF848EA13EA
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\Desktop\FMuYuXzk.log 1F02230A8536ADB1D6F8DADFD7CA8CA66B5528EC98B15693E3E2F118A29D49D8
Sample file is different than original file name gathered from version info
Source: fdsN8iw6WG.exe, 00000000.00000000.2119928328.0000000000B52000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs fdsN8iw6WG.exe
Source: fdsN8iw6WG.exe, 00000000.00000002.2290010756.000000001C545000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs fdsN8iw6WG.exe
Source: fdsN8iw6WG.exe, 00000027.00000002.2420339625.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs fdsN8iw6WG.exe
Source: fdsN8iw6WG.exe, 00000027.00000002.2420339625.0000000002C30000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs fdsN8iw6WG.exe
Source: fdsN8iw6WG.exe, 0000002C.00000002.2420913729.000000000347B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs fdsN8iw6WG.exe
Source: fdsN8iw6WG.exe, 0000002C.00000002.2420913729.00000000033C2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs fdsN8iw6WG.exe
Source: fdsN8iw6WG.exe, 0000002C.00000002.2420913729.0000000003400000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs fdsN8iw6WG.exe
Source: fdsN8iw6WG.exe Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs fdsN8iw6WG.exe
Uses 32bit PE files
Source: fdsN8iw6WG.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: fdsN8iw6WG.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dEhCbXEAIUCUplvbdoWVtmGx.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: RuntimeBroker.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: sihost.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dEhCbXEAIUCUplvbdoWVtmGx.exe0.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: fdsN8iw6WG.exe, pdbekNQTGLIDcuiPehd.cs Cryptographic APIs: 'CreateDecryptor'
Source: fdsN8iw6WG.exe, pdbekNQTGLIDcuiPehd.cs Cryptographic APIs: 'CreateDecryptor'
Source: fdsN8iw6WG.exe, pdbekNQTGLIDcuiPehd.cs Cryptographic APIs: 'CreateDecryptor'
Source: fdsN8iw6WG.exe, pdbekNQTGLIDcuiPehd.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.spre.troj.expl.evad.winEXE@49/66@0/0
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File created: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File created: C:\Users\user\Desktop\qcbjycVR.log Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Mutant created: NULL
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-YUXnB7xicRhpuDINWn5Y
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2752:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3012:120:WilError_03
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File created: C:\Users\user\AppData\Local\Temp\3a401533b82e2cb9c9bc589aa6ee01300983b035 Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\V10Cviyryl.bat"
Source: fdsN8iw6WG.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: fdsN8iw6WG.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: fdsN8iw6WG.exe ReversingLabs: Detection: 73%
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File read: C:\Users\user\Desktop\fdsN8iw6WG.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\fdsN8iw6WG.exe "C:\Users\user\Desktop\fdsN8iw6WG.exe"
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\diacazft\diacazft.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files\Microsoft\sihost.exe "C:\Program Files\Microsoft\sihost.exe"
Source: unknown Process created: C:\Program Files\Microsoft\sihost.exe "C:\Program Files\Microsoft\sihost.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES34F8.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC13EEC4598AE74082ADE16A1F2183AE80.TMP"
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\khjlbg4u\khjlbg4u.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES38D0.tmp" "c:\Windows\System32\CSC8295EB2BCC8D4700AEF6D1253A133871.TMP"
Source: unknown Process created: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe "C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe"
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\sihost.exe'
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe "C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe"
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\dEhCbXEAIUCUplvbdoWVtmGx.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe'
Source: unknown Process created: C:\Users\user\Desktop\fdsN8iw6WG.exe C:\Users\user\Desktop\fdsN8iw6WG.exe
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fdsN8iw6WG.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\fdsN8iw6WG.exe C:\Users\user\Desktop\fdsN8iw6WG.exe
Source: unknown Process created: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe "C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe"
Source: unknown Process created: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe "C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe"
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\V10Cviyryl.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe "C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe"
Source: unknown Process created: C:\Program Files\Microsoft\sihost.exe "C:\Program Files\Microsoft\sihost.exe"
Source: unknown Process created: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe "C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe"
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\diacazft\diacazft.cmdline" Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\khjlbg4u\khjlbg4u.cmdline" Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe' Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe' Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\dEhCbXEAIUCUplvbdoWVtmGx.exe' Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe' Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fdsN8iw6WG.exe' Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\V10Cviyryl.bat" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES34F8.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC13EEC4598AE74082ADE16A1F2183AE80.TMP" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES38D0.tmp" "c:\Windows\System32\CSC8295EB2BCC8D4700AEF6D1253A133871.TMP" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe "C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe"
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: mscoree.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: version.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: uxtheme.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: windows.storage.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: wldp.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: profapi.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: cryptsp.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: rsaenh.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: version.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: wldp.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: profapi.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: version.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: wldp.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: profapi.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Section loaded: sspicli.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: mscoree.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: apphelp.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: version.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: uxtheme.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: windows.storage.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: wldp.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: profapi.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: cryptsp.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: rsaenh.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: sspicli.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: mscoree.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: version.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: uxtheme.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: windows.storage.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: wldp.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: profapi.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: cryptsp.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: rsaenh.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: mscoree.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: version.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: uxtheme.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: windows.storage.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: wldp.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: profapi.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: cryptsp.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: rsaenh.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: sspicli.dll
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: mscoree.dll
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: version.dll
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: uxtheme.dll
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: windows.storage.dll
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: wldp.dll
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: profapi.dll
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: cryptsp.dll
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: rsaenh.dll
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: cryptbase.dll
Source: C:\Program Files\Microsoft\sihost.exe Section loaded: sspicli.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: mscoree.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: version.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: uxtheme.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: windows.storage.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: wldp.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: profapi.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: cryptsp.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: rsaenh.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Directory created: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Directory created: C:\Program Files\Windows Portable Devices\9e0136ccaf7772 Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Directory created: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Directory created: C:\Program Files\Windows Sidebar\Shared Gadgets\9e8d7a4ca61bd9 Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Directory created: C:\Program Files\Microsoft\sihost.exe Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Directory created: C:\Program Files\Microsoft\66fc9ff0ee96c2 Jump to behavior
Source: fdsN8iw6WG.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: fdsN8iw6WG.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: fdsN8iw6WG.exe Static file information: File size 2033664 > 1048576
Source: fdsN8iw6WG.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1f0000
Source: fdsN8iw6WG.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: yXT9UKQtlxtUx0jY65A.pdbekNQTGLIDcuiPehd+XZZKKCwsBQHivX0eK9u+xtYxp3wyQQVngc4yE9B`1[[System.Object, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]][] source: fdsN8iw6WG.exe, RuntimeBroker.exe.0.dr, dEhCbXEAIUCUplvbdoWVtmGx.exe0.0.dr, dEhCbXEAIUCUplvbdoWVtmGx.exe.0.dr, sihost.exe.0.dr
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\khjlbg4u\khjlbg4u.pdb source: fdsN8iw6WG.exe, 00000000.00000002.2260614296.00000000037A7000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\diacazft\diacazft.pdb source: fdsN8iw6WG.exe, 00000000.00000002.2260614296.00000000037A7000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: fdsN8iw6WG.exe, pdbekNQTGLIDcuiPehd.cs .Net Code: Type.GetTypeFromHandle(Qae5tnodZUfv3RITPXZ.WNl6Y5Yl7ZE(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(Qae5tnodZUfv3RITPXZ.WNl6Y5Yl7ZE(16777245)),Type.GetTypeFromHandle(Qae5tnodZUfv3RITPXZ.WNl6Y5Yl7ZE(16777259))})
Compiles C# or VB.Net code
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\diacazft\diacazft.cmdline"
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\khjlbg4u\khjlbg4u.cmdline"
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\diacazft\diacazft.cmdline" Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\khjlbg4u\khjlbg4u.cmdline" Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 0_2_00007FF848E909B0 push ebx; retf 0_2_00007FF848E90B1A
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 0_2_00007FF848E90AD3 push ebx; retf 0_2_00007FF848E90B1A
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 0_2_00007FF848E90AFB push ebx; retf 0_2_00007FF848E90B1A
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 0_2_00007FF849290E2C pushad ; ret 0_2_00007FF849290E2D
Source: C:\Program Files\Microsoft\sihost.exe Code function: 8_2_00007FF848E609B0 push ebx; retf 8_2_00007FF848E60B1A
Source: C:\Program Files\Microsoft\sihost.exe Code function: 8_2_00007FF848E60AD3 push ebx; retf 8_2_00007FF848E60B1A
Source: C:\Program Files\Microsoft\sihost.exe Code function: 8_2_00007FF848E60AFB push ebx; retf 8_2_00007FF848E60B1A
Source: C:\Program Files\Microsoft\sihost.exe Code function: 8_2_00007FF848E600BD pushad ; iretd 8_2_00007FF848E600C1
Source: C:\Program Files\Microsoft\sihost.exe Code function: 9_2_00007FF848E809B0 push ebx; retf 9_2_00007FF848E80B1A
Source: C:\Program Files\Microsoft\sihost.exe Code function: 9_2_00007FF848E80AD3 push ebx; retf 9_2_00007FF848E80B1A
Source: C:\Program Files\Microsoft\sihost.exe Code function: 9_2_00007FF848E80AFA push ebx; retf 9_2_00007FF848E80B1A
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 16_2_00007FF848E909B0 push ebx; retf 16_2_00007FF848E90B1A
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 16_2_00007FF848E90AD3 push ebx; retf 16_2_00007FF848E90B1A
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 16_2_00007FF848E90AFB push ebx; retf 16_2_00007FF848E90B1A
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 16_2_00007FF848EA6983 push edx; iretd 16_2_00007FF848EA698B
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 16_2_00007FF848EA88C3 pushfd ; iretd 16_2_00007FF848EA88C6
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 16_2_00007FF848EC7AA5 pushad ; iretd 16_2_00007FF848EC7AED
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 16_2_00007FF848EC7A65 pushad ; iretd 16_2_00007FF848EC7AED
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 33_2_00007FF848E509B0 push ebx; retf 33_2_00007FF848E50B1A
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 33_2_00007FF848E50AD3 push ebx; retf 33_2_00007FF848E50B1A
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Code function: 33_2_00007FF848E50AFB push ebx; retf 33_2_00007FF848E50B1A
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 39_2_00007FF848E909B0 push ebx; retf 39_2_00007FF848E90B1A
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 39_2_00007FF848E90AD3 push ebx; retf 39_2_00007FF848E90B1A
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 39_2_00007FF848E90AFB push ebx; retf 39_2_00007FF848E90B1A
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 39_2_00007FF848EA6988 push edx; iretd 39_2_00007FF848EA698B
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 39_2_00007FF848EA88C3 pushfd ; iretd 39_2_00007FF848EA88C6
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 39_2_00007FF848EC7AA5 pushad ; iretd 39_2_00007FF848EC7AED
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 39_2_00007FF848EC7A65 pushad ; iretd 39_2_00007FF848EC7AED
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 44_2_00007FF848EB7AA5 pushad ; iretd 44_2_00007FF848EB7AED
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 44_2_00007FF848EB7A65 pushad ; iretd 44_2_00007FF848EB7AED
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Code function: 44_2_00007FF848EB7B45 pushad ; iretd 44_2_00007FF848EB7AED
Source: fdsN8iw6WG.exe Static PE information: section name: .text entropy: 7.577310772845179
Source: dEhCbXEAIUCUplvbdoWVtmGx.exe.0.dr Static PE information: section name: .text entropy: 7.577310772845179
Source: RuntimeBroker.exe.0.dr Static PE information: section name: .text entropy: 7.577310772845179
Source: sihost.exe.0.dr Static PE information: section name: .text entropy: 7.577310772845179
Source: dEhCbXEAIUCUplvbdoWVtmGx.exe0.0.dr Static PE information: section name: .text entropy: 7.577310772845179
Source: fdsN8iw6WG.exe, egX5ApVIBfx5UWJMXqi.cs High entropy of concatenated method names: 'oUXVmOUmnM', 'mgr5i3qWy1R3qatjsKv4', 'JbQAR9qW5xxoBhjQlTiP', 'zTY0jNqWfHNYCuevDdIY', 'b5XbC8qWUxehZOCmgjT6', 'doVYEIqWaNCy9Gnd9GZR', 'bwWAgbqWs5AkPImKdNuO', 'knT2J0qW3HTUG4cx3kvp'
Source: fdsN8iw6WG.exe, w0uddHJx9cl1soAVmOK.cs High entropy of concatenated method names: 'KZ3', 'imethod_0', 'vmethod_0', 'Lm0qVJJjGI9', 'D3IqJqwFuBs', 'Ebq2w8qi2BV5HRSjHI0x', 'OdmoelqiFZH09AiifP6N', 'SEOreCqi9MBMd8CNThOA', 'ccHa3uqia9O7fMaH4NFb', 'FmgWVNqisvSpXFlUcvSD'
Source: fdsN8iw6WG.exe, R114gd4rSRRNN94ucam.cs High entropy of concatenated method names: 'nSf4FJWVYO', 'uwj49bYUPa', 'zB94anIqR1', 'JkhlSGqZIttJ5FfsRi2x', 'e96bPDqZGOwfSO4UTWL5', 'yows4UqZhlQPHuDMy6ty', 'Ne742xqZ0x01vCSe6gBT', 'AG34Z7Hnqy', 'tRE4PuVJEm', 'mnm4uovyKR'
Source: fdsN8iw6WG.exe, Yxmw2BmjpcRLTKofIA8.cs High entropy of concatenated method names: 'vmrmblalmj', 'H5wmvaK5wi', 'yPAmckmRob', 'ScGmd8LWZs', 'wxgmNJyhsH', 'pjKm7Ywh0t', 'KYBmEt6lvS', 'T1smThZXkn', 'd7bmto6kkM', 'KBPm4QMBws'
Source: fdsN8iw6WG.exe, fPKCoIVjAgBMeSAiPlK.cs High entropy of concatenated method names: 'MMnVvQHNfi', 'QcSVcaZX7Q', 'sCLVdL5qPf', 'YlsVngqWiTCcbm36PTu2', 'bVwTEFqWbhOLM0cpA61j', 'REB5x7qWS9C1xvWQegSy', 'RkniB4qW1vuCRPJWfsUr', 'yqoV2CqWxPAqSMXJi7r8', 'xlooQjqWg0836IByqCUC', 'DAonHMqWWG6iMWu1xPFC'
Source: fdsN8iw6WG.exe, yKPrjgzbKofUIO04IT.cs High entropy of concatenated method names: 'R1lqqm3GWc', 'LVBqBQHStE', 'BdeqJYF3ZD', 'DK3qYh5ZxU', 'qJUqeq8drc', 'noKqleHc2l', 'MQCqARrVTY', 'IhaFYjqKVLpnOn0CcSkW', 'Jum37ZqKAEmLZ5UCSuwM', 'PYpLRrqKjM3x9xXE0SSn'
Source: fdsN8iw6WG.exe, XwDHFyVKDEOV7pjHm1V.cs High entropy of concatenated method names: 'ewfV1OK9OW', 'o5GVijrgS2', 'lJtVbCO07G', 'psPVxrhRnS', 'QcZVgoPXa4', 'uEIVW1tq5D', 'oQts82q8kIIHSKJ1wdgS', 'y6A8hiq8q53kBrjaq4LM', 'DhOT7Aq86FbehTRMsLH5', 'DZOAKgq8BnZIAJvTUrgH'
Source: fdsN8iw6WG.exe, ajuGBUWLbGMb9vprVOW.cs High entropy of concatenated method names: 'q13', 'Sw1', 'method_0', 'HqsWpvNP2o', 'jGsWZpOgSQ', 'nnEWPa7tdM', 'oAFWuHMV7y', 'nstWnuKbCI', 'OwDW2UquX1', 'ANEI9wqfBMBRrZKr0eVb'
Source: fdsN8iw6WG.exe, zs1hb3pb0QsRt4USbZJ.cs High entropy of concatenated method names: 'Y7opgHIWsk', 'SvypWuGZnj', 'trup8F6BLc', 'S2qpHQpEG7', 'UPopLgIBu9', 'SCSprJlLhS', 'OlxppVrZjD', 'QwipZsKdYQ', 'kf1pPHwecc', 'Hlepuwr3if'
Source: fdsN8iw6WG.exe, xBcFVU6YgQQxyR3l0Qv.cs High entropy of concatenated method names: 'P1P6lEld0X', 'tSC6VyN2re', 'Q4W6AnErDM', 'FT66jtqY1h', 'Rgt4lLqS7xsA6LDX1pZa', 'sjqWryqSd3j0iMVu5EHO', 'njESbYqSNPShZqb1ioX6', 'cucWmSqSE9WBgtOZDM3y', 'AQCx1XqST476J0j03eVh', 'aNimogqStDisoJNSoO7Q'
Source: fdsN8iw6WG.exe, Qn50it1cQgGZfZ6IHeb.cs High entropy of concatenated method names: 'wIc1N1P9lV', 'SRF6AYqamxIBpoyp17Sr', 'tmwuckqaIPjWUP3bM9LT', 'OirBGgqa09PTaMK8eiXo', 'QI1htjqaXEIO2jHOWD4W', 'CaSGFZqaRHBvImttlHCW'
Source: fdsN8iw6WG.exe, ftSwvJqU4pQAM8nGXxD.cs High entropy of concatenated method names: 'P9X', 'QGlqDqJquX', 'cyKqVkRMl4P', 'imethod_0', 'ibSqQwB91E', 'Amn2A5qKwbASbtSXcmGt', 'zVHKHQqKosXWWMxgP9s3', 'bpNTMsqKDxhxSJAF94aj', 'zpiXoXqKQmFsCVBbn1op', 'uBXFc7qKCPl9DUbff1HT'
Source: fdsN8iw6WG.exe, tWwgM7lb2rSWWKiCcFr.cs High entropy of concatenated method names: 'gHklgfXKRl', 'VfnlWiNrdH', 'p5860wqgCpR0EDhvZ19v', 'PGYDf9qgwNEk12T1AXKM', 'S9glDqqgoCgvL27rLHKa', 'JleMb7qgzbkByMGU3uwx', 'jKxS6gqWkn8Zr8RNiss2', 'KAmLtkqWqREEFr4n4m18', 'LTylHNqW67AxC8swDsQ7', 'AnH5QIqWBEiO7Nd4nGtA'
Source: fdsN8iw6WG.exe, LeUyFJULsEHZDVdV05B.cs High entropy of concatenated method names: 'O0aqVMFWPbF', 'nHoqeRg5EuQ', 'LPe6FPqQRmRA2ng8FCI2', 'RN93tsqQmfZoF1qKn3qW', 'WJD8b9qQXUoJQjgprXRi', 'vXc9B7qQ1DJps4C1ZXE8', 'fbRdksqQKGxs01RTBdLL', 'Gx78QmqQSvIXNxyExg6o', 'imethod_0', 'nHoqeRg5EuQ'
Source: fdsN8iw6WG.exe, xapvcZMbbPPFE3HcGi9.cs High entropy of concatenated method names: 'method_0', 'Lq1MgeTUSk', 'skgMWTGd0L', 'a4RM8BnS6J', 'lcoMHDP94P', 'YcpMLyQePk', 'MeuMr1Tnvi', 'ITPUBnqFxE1tS7KX8Vt7', 'E9xLCtqFiIPcXO0MqXNg', 'QUAjUdqFbc95Dbqs2uBG'
Source: fdsN8iw6WG.exe, pdbekNQTGLIDcuiPehd.cs High entropy of concatenated method names: 'EWQ3YDqoIjtaSSfYp170', 'aaC6piqo0LDkCa9fA4T9', 'c9SwUgT8eW', 'zJTGK6qoMnTh6ibyOKuQ', 'VBpmQPqoKfkcWZG2NxKD', 'QGHBooqoSLnPu5umvZEh', 'Py4ekTqo1EpYLMQ0KO2x', 'yveesBqoibBM7jBkNSOy', 'MmcKSOqob04F7IStp0oC', 'Mj5WqvqoxeXKy5y93d8U'
Source: fdsN8iw6WG.exe, Su9CoKYAk3SFlVF3hsK.cs High entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'IW6qVYBirba', 'D3IqJqwFuBs', 'W5rHW4qbm4fKdc0NqKSE', 'bErUM1qbXEMTEpq7yhPp', 'JNEWpbqbR7oMqHiQtg5W', 'Ri0T1rqbM4Hfdxsock9O'
Source: fdsN8iw6WG.exe, zKNSU5Yn3jp40c4lqs4.cs High entropy of concatenated method names: 'wMDYsMJP67', 'nWKkPtqxVjSwShZooGa3', 'qTlurMqxAXbJVnN0ocpE', 'RDeOpkqxjJyopq3k4Lgf', 'u19l1hqxO2tO81dEAhAx', 'U1J', 'P9X', 'TswqJ7XJc4g', 'Ut8qJEHvR5N', 'OGTqVlHEVOC'
Source: fdsN8iw6WG.exe, yREZOVeXShGLXxndis6.cs High entropy of concatenated method names: 'xg6ebeVNJX', 'wohmRRqxF9eHFB2w4KQ1', 'x3mKrwqxnoZGeHogFUPp', 'x9BWpxqx2NGhyKV5QFVA', 'wSQt7qqx9yA1kFV9Qnwi', 'hNsoyYqxatJ2QB9AmL4g', 'E94', 'P9X', 'vmethod_0', 'RqMqJGt1e1T'
Source: fdsN8iw6WG.exe, KPUM3bByKI9LeOyXEIA.cs High entropy of concatenated method names: 'yI5JBlIlF4', 'qCwJJQK2Su', 'mknJYpsYFP', 'O6OQWSqivDDhTDfyMfU6', 'bCZ0Bjqicavlq6LtdIYD', 'SKRn9lqijIQJWJELwJps', 'smjds3qiORf5x61JtUkf', 'YnyJOoulJU', 'hPm1jcqiE84RgbqrEsSu', 's5BO6yqiN2yiNIgZgAeZ'
Source: fdsN8iw6WG.exe, p69Knhm5mc5omdjKrGl.cs High entropy of concatenated method names: 'd6EmUi4qKU', 'Udhm3iDhYL', 'y5cmDACuYJ', 'TRbmQaDTYX', 'UwAmwq1lCo', 'l61Oamq2qa3ftjhBuvwy', 'oNX1wBqnzqTA7FBTmSew', 'f7r1lnq2kTr8pwRSwdKa', 'HH1ppkq26d3blXBwJijY', 'EyJbsbq2B5Mgo6hYPRnF'
Source: fdsN8iw6WG.exe, b5rKDvKBcPG1SUuPIfs.cs High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'EpgKYRYd8M', 'Write', 'YiSKeW5Ba2', 'oBjKlWJGJr', 'Flush', 'vl7'
Source: fdsN8iw6WG.exe, NGp7CHiCUmhWkFuSGu9.cs High entropy of concatenated method names: 'LZRbkX0Z0a', 'onZbqpk4xD', 'Yd7', 'iGqb68cNY6', 'sIebBjeK5Y', 'PnqbJdZy9P', 'Nq1bYxTg7f', 'ty1lJAqyVUoFvioPJPCC', 'nybVTMqyewsWaNL9xTTh', 'SMaOZvqylO15X3d82aNM'
Source: fdsN8iw6WG.exe, pMcHW4VFos8OIKsnkp8.cs High entropy of concatenated method names: 'bltVDskmtj', 'F0C4lvq84B0UBDmGnFUi', 'zlqaqAq8TpfyRUktOEFD', 'zUlPlfq8t3kQlHd3ZIgD', 'AivMTWq8GO53YBnjcHJJ', 'QgLT3Lq8hvrmFaB5sqx6', 'P9X', 'vmethod_0', 'UpuqJKUMeLJ', 'imethod_0'
Source: fdsN8iw6WG.exe, aGkRaEhObI8YSuaZ1Uy.cs High entropy of concatenated method names: 'Rrr', 'y1x', 'm8AqVI7cUwW', 'uXFqV06ELRr', 'ySHktnquBREZsBlGslT9', 'Se2CSvquJClUibV9lU4r', 'veGekVquYWSNWERJW9VQ', 'SVC3M2quecCQZpWhi8Ve', 'HdlHC8qulrTuD7GKJLH1', 'dPNy9BquV3E9u7N9svO4'
Source: fdsN8iw6WG.exe, CEllyTlqIpkwcmEmerr.cs High entropy of concatenated method names: 'daxlB6Ykyy', 'IZqlJ2s00t', 'bEClYm2mBn', 'oJmb9xqgdUnNEPMAtu9e', 'DyYUS8qgvrvpv3mhdFS7', 'r6cQ9Nqgc2JIXm3c0A9C', 'QFZIsWqgNiovWh6gF8H9', 'NU6rPBqg7qFBaYViNbKf', 'DwPXyYqgE711964oh513', 'saZmCNqgTe2wyPMIABF9'
Source: fdsN8iw6WG.exe, gYvYpOBMtoUZnv1njqV.cs High entropy of concatenated method names: 'uVXBugjmBG', 'p1IBnb8023', 'iZSB2Uu17f', 'BFD0OBq1shGq1DaiV7a6', 'aUom0uq1yWMPF6SLA6qA', 'ldQA12q19Ltk1yjujtNs', 'HWx5BRq1aF06DRy9PZCK', 'p4NBSQxOvC', 'xTwB18uylU', 'VHOBis6fcY'
Source: fdsN8iw6WG.exe, AdvlVFqCJu4c93ZLLsN.cs High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'PcqqVqNNen0', 'D3IqJqwFuBs', 'A8Y8k9qS6HNAS75T2QsD', 'W1ofpjqSBFkIIEOsnnJc', 'bi3beTqSJ93cQvON5NUg', 'Pw7L3HqSYyrC4DOxgipZ'
Source: fdsN8iw6WG.exe, PQYAe6GnQmZBthpHNFd.cs High entropy of concatenated method names: 'h06GF5fI7j', 'mfaG9nYlRA', 'UErGa7luRj', 'GHK4oMqPiCZLcdlNm0yS', 'sdNqU8qPSD95sRBjmjR5', 'zSWpyGqP1Pu1QVTyjE25', 'WPDNhJqPb6rpf6kUZDXH', 'Ld7jCuqPxB7ItWrntHbP'
Source: fdsN8iw6WG.exe, WdjV4rSfUP9434dW8cS.cs High entropy of concatenated method names: 'zQbS3YlBvJ', 'UZQSDmu3ii', 'KtlSQXZWcF', 'KwgSwlhZBF', 'WknSohjrRD', 'HmPKZCqaqVGpuFJ22iRV', 'EnKqMtq9zLkKXXtnLcUa', 'BW1cEmqakMUXupqLdh8q', 'LRB0dSqa6Y9agKkMd2fO', 'MjEXGSqaBq4wP7iyQEW7'
Source: fdsN8iw6WG.exe, wmLSJqIctSxP7QTh7Qx.cs High entropy of concatenated method names: 'h4MmqOujaG', 'sqvx2Bqn8PCboMCeRtkp', 'gmt1puqngq2QwVUFf0Vj', 'wknhLuqnWJWNxNv34uOn', 'fxTtGNqnH5MsTuRrHPIc', 'MCbINoDlum', 'UyxI7x8457', 'CW9IE4APDv', 'EwMITNPhCW', 'D3EItx1sxf'
Source: fdsN8iw6WG.exe, KFKpG1i2gBA0DXwE2E4.cs High entropy of concatenated method names: 'An2i989aVE', 'UjkiamSSTP', 'InCis9ydYk', 'c4diyYAvia', 'n61i5GPqYq', 'S8c7AYqsQ89FShVokc3U', 'GRLR8wqswh8hlJINxtZJ', 'JN8LA6qsoRG4foCm9k5u', 'iENsLmqs3mBNaY8NOcB9', 'poAn2MqsDyPAxPFR7InW'
Source: fdsN8iw6WG.exe, l6NqAIJpwPIC0o5av82.cs High entropy of concatenated method names: 'UDYJoYAqIS', 'OwuZVTqbva7liaAIxiWC', 'wQOkXoqbclUVsGEfUwTK', 'bpj16ZqbjbDun0sReM4J', 'wdUomcqbOLXHnc3GEYfY', 'AkSLZLqbEkseshY6hO03', 'T3cmvwqbNEiNHb9oZv3p', 'TayhSgqb7Km4Af7JLoKs', 'z93Ue6qbTSEwhW3cm0Jv', 'WDXYe5GFaq'
Source: fdsN8iw6WG.exe, Qt8NnulAV6eSn3MjF0L.cs High entropy of concatenated method names: 'anDlOEi4i7', 'zkhlvu4plV', 'OwVO7pqg0iDaEJQ4SAyh', 'FdXEtyqghGIeT7aiSs6E', 'f9KxeXqgIIDsH0xdUX32', 'HYCoDCqgmfgilvwqDXwt', 'E0bMdXqgXUbOD39pOcQM', 'Ee2LVZqgRNT132R160eq', 'cD5lHKqgM5pwUud3JoWx', 'vRHfpHqgKTdC5vnMVy4d'
Source: fdsN8iw6WG.exe, IPIIKiY5AFZIiawGGsC.cs High entropy of concatenated method names: 'ovCYwTyCgJ', 'avCYo2ie2P', 'VoFYC6AkQu', 'w5YYzsR0Z2', 't7JekVnmLV', 'yHeeqoIDqR', 'fSIe6Zv7g0', 'ETDTB2qxGvPjQarsi7Wr', 'oqX65MqxtCRPZ7eseCvZ', 'qEnZZ3qx4hE2dtaFBBpX'
Source: fdsN8iw6WG.exe, aoCAWjTppbDF8eqIqr.cs High entropy of concatenated method names: 'hRSWDTRuA', 'kXebRwqMgumbFeMLZ6Bi', 'jbLMIhqMWK7W0vImS2FH', 'THPPW2qMbEKhiH4T35XC', 'qtK6NPqMxHH3BadryC0T', 'iLa4sDYYE', 'dtIGQWi3Y', 'dT9hUBqLM', 'NLjIaumVo', 'C9y07lBYH'
Source: fdsN8iw6WG.exe, rIfUy5XnwG3ptS7CPoa.cs High entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'zmfXFRev5e', 'IPBX9kqoEO', 'Dispose', 'D31', 'wNK'
Source: fdsN8iw6WG.exe, EtoUBoAdpbZkDdEsClc.cs High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'SZKML5q8nph1xqEuPqhY', 'aL0kkRq82v4AQLSAGmHo', 'R9Ejehq8F66TAYw1H73J', 'wAoZ06q89tNAd6ZejnMg'
Source: fdsN8iw6WG.exe, hNsBv3GdOk39acxQjTs.cs High entropy of concatenated method names: 'LxaGGk4QNx', 'dXwhW3qPBMBfhgM7223M', 'trfp9iqPJ015jm1X4qpe', 'bjREbkqPYkc3SnkcOXuP', 'g8dxqcqPeU5H7MSHWbtr', 'ticG7auf2D', 'qp49vHqZo9L3tLyGkZAI', 'kE7aZNqZQBsw3knMnQ1H', 'HcqVMbqZwIO3d2T3j1Us', 'tyjCLGqZCylRcPxcuNKZ'
Source: fdsN8iw6WG.exe, RkTrELh7G1ZrRMjLCEU.cs High entropy of concatenated method names: 'haiGVLqu1pO7tdFQc4He', 'MWp0Wequi0rhKFSembTs', 'Y0SEa2quKgaVIXXvuSXL', 'lHnbtaquSxiKwjCV1b4l', 'method_0', 'method_1', 'bNvhTSwvPZ', 'w31hto2n8V', 'RoUh4fA7Yt', 'cYshGoFQyf'
Source: fdsN8iw6WG.exe, sVL7kqDbCsL8WC94xl6.cs High entropy of concatenated method names: 'x3hDgbRNta', 'ii0DWcbdGa', 'okJD8NSJUw', 'ONbDHO0Phn', 'Dispose', 'sSsF2xqwHxvlk5Mthyce', 'UlexTBqwW3RBIaifID8T', 'ExlmJ6qw8B1CaG70AT8F', 'Lj5TSaqwLP3VjdeLwx3e', 'oC9jVrqwr8MrOmHBc3Jr'
Source: fdsN8iw6WG.exe, Xawy4pA6KTD2bja4kY4.cs High entropy of concatenated method names: 'FsfAJVaVjp', 'tCcAYUdau8', 'NkAAeT5Dwc', 'umVAl1dZ17', 'h5oAV06rXQ', 'mdwAAWdHX6', 'JkYAjGGdn5', 'gvMAOEYKBu', 'KIpAvTl9IR', 'AshAcoFmcX'
Source: fdsN8iw6WG.exe, SrUP9IGs2FBJuI4naQg.cs High entropy of concatenated method names: 'oVRqVEexoWD', 'I9UG53WrGq', 'RGaqVTUKsZ2', 'zx6OrkqPHMauOnVF81fw', 'tAa8KdqPLDhWvdOnEmlR', 'QU6Ya4qPWrI2XGGXxPqU', 'dAvo1yqP8XUx4lU6Mu7X', 'YbA6dBqPrhwu5cLMCBCP', 'FyvaXSqPp3WsGyuOkNne', 'uUmflHqPZqnA956QkSQL'
Source: fdsN8iw6WG.exe, taNtvf1ZhvtCI7h90eA.cs High entropy of concatenated method names: 'uR71u0new0', 'Duc1nuJMVv', 'o8H121PHHM', 'ppR1Fq41L8', 'Pr119vgjaP', 'OPu1aFRM3t', 'B4M1skucxR', 'F2G1ycvVFp', 'bLa15OYcgU', 'Fds1fgDUMi'
Source: fdsN8iw6WG.exe, fJ5D4eqdMwsKj2joBu9.cs High entropy of concatenated method names: 'lMaq7xpTMu', 'HnCqEyXTpG', 'WEuqTUB6KR', 'gVB20GqKt4EnFJiKJJrt', 'liR5RwqKEtpC97PkRFwG', 'eXhfJIqKTnvA0AxoBOra', 'CwICDCqK4s5vcST8iN4y', 'PUX3a8qKGl3lxkGAcUrl', 'j389BhqKh1r84k0HLDIt'
Source: fdsN8iw6WG.exe, YJklBh6yeX00iRUIyC5.cs High entropy of concatenated method names: 'r2EBlEBpdV', 'j2PSwPq16QqNeN6n7enk', 'oVeYHqq1B6sHTh7GZHkb', 'U1adZcq1JEMgOeWZu514', 'U0cKc8q1YyD61Q17KrEi', 'ASx2Bdq1kG9Hhkiq7Ig8', 'WEZSuUq1qGwCNBAWYcsw', 'FfdqN7q1e1tYdls7lFWJ', 'wbGDGaq1l42i0qJjQvNH', 'AsOBkqDOdQ'
Source: fdsN8iw6WG.exe, W1sryrKPUwbAG7J1qiK.cs High entropy of concatenated method names: 'UCeKoIrlpa', 'ts9KzRxnSQ', 'iUPKnBAD1c', 'fKHK28tgfR', 'IV7KFlik45', 'WAJK9yn9Zq', 'q2FKaXOE0V', 'nAiKslEZ1J', 'lIJKyFUAPp', 'XQSK59eHn0'
Source: fdsN8iw6WG.exe, jPDEUil4noDrxp0XXBY.cs High entropy of concatenated method names: 'isBlSvKJTv', 'Ck9yDUqgUBvAQdD4KuJa', 'BVoSgrqg5yJN5ioI1Ktr', 'jmQVWyqgfwYVpUR6fDNH', 'SY3WAAqg3KGCK5h72iEI', 'S5TPPkqgDxwf4eu7qbpj', 'DKNlhSEnaV', 'CgAlIZMZFM', 'fMLl0Zy5EH', 'kSSlmHRfvh'
Source: fdsN8iw6WG.exe, e2vBE0RU15RQBVDEBHq.cs High entropy of concatenated method names: 'rnvRDI9C1l', 'gJORQR8MtW', 'DemRwETBv1', 'pNTIKYqFdXbXYsggFx2q', 'uipr2VqFNgLGjTp8wx9e', 'KcUgJKqF7Y6K07TO9YCu', 'a8OxqZqFEwIsiZDIW6kn', 'pCPH0aqFTFl8W38AxeNa'
Source: fdsN8iw6WG.exe, J0FM1SRm2Og7nwQGYk1.cs High entropy of concatenated method names: 'jrVRRjqucM', 'MTDRMEJbeE', 'SE2RK6rB7u', 'dpxRSTD1KZ', 'FYPR1ehT2L', 'H4HHA8qFBTfiTa2DKZIb', 'ghxZXEqFqrl9B5ZWnPY4', 'TfxdvVqF6Edsu9EZHtnr', 'QnFtOkqFJP65l8w0DMgu', 'nypNrwqFYbIKk0oO1Uwr'
Source: fdsN8iw6WG.exe, n1Mf7KlPf92gmJOi6XV.cs High entropy of concatenated method names: 'xC4lDDDTq4', 'Tt0lQIfg2h', 'VF5SSgqWTSDP7Pr5iiRA', 'VjoBfRqW7otk6uKrPybk', 'IbPybVqWEyTJTDQf6tbs', 'qnEYfvqWt1kcKRwiIpfq', 'RVslnysppI', 'sHpl2GPIGo', 'p34lF8s88r', 'xEXl9hXFy2'
Source: fdsN8iw6WG.exe, ANLCJrYpXR0Z4fjMChG.cs High entropy of concatenated method names: 'q64', 'P9X', 'qSFqJdpCQpP', 'vmethod_0', 'KMZqVeJRy7W', 'imethod_0', 'IbD1cFqbw1FwRaeB3qhh', 'M7HkuZqbogpIUbpQaM21', 'agNhBiqbCsXPZL5TSwBY', 'DENjOXqbzl27t1dgANVB'
Source: fdsN8iw6WG.exe, dJCpWnH8Ngiom6FjyUx.cs High entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'pxjaCgqfF8ZRbYjaeAk6', 'RvhO9hqfnPHqgDWicCII', 'EQUA0iqf2YegFPQR6MQs'
Source: fdsN8iw6WG.exe, cQcTaa4SXg2TOhlf5SJ.cs High entropy of concatenated method names: 'OcV4HFBepN', 'jL1oTKqZd3ZKXnoH76fC', 'lNAX8OqZvHgBZpxjbgRy', 'KJWYEdqZcUujYJclr8iN', 'qtBnTIqZNomdxf6qJE8d', 'Fw94i9ShC2', 'e8q4bkmtSX', 'Wo84x2dEUw', 'tJbV9cqZAKbaMZOVGw7r', 'B8DaKuqZj1ECugNF5Jo3'
Source: fdsN8iw6WG.exe, IMlpe9bw645ZZqjxGSl.cs High entropy of concatenated method names: 's0jbC5LTDY', 'RWxbzl396h', 'EQFxk8EKTE', 'A49xql8raf', 'orGx6eVaml', 'znDxBYTSua', 'Rpx', 'method_4', 'f6W', 'uL1'
Source: fdsN8iw6WG.exe, PpiV6vY78kMgnQlldUs.cs High entropy of concatenated method names: 'TntYKVj3WB', 'Lk4YSItvSh', 'bWWY1cNC8C', 'R8hysPqbFPhFXi77LO0d', 'a7yvLGqb9CCXUEdyYPkU', 'ry39QdqbnvAPUEgwON6G', 'HmKodYqb2EGkmjOggib2', 'asbYmoAnAR', 'PoQYXyNtjO', 'lx1lGNqbPm2spfkNkEy1'
Source: fdsN8iw6WG.exe, YmbdYKrbIPv3moZpjFN.cs High entropy of concatenated method names: 'tharg34pTJ', 'uDXrW9UXtg', 'KBFr8b73Ob', 'cUKrHvPOVb', 'SUQrLV8Ita', 'i0rrrfpLtD', 'DnTrpCTJXf', 'B9HrZIXLyj', 'VLYrP6HNo1', 'VilruWZZou'
Source: fdsN8iw6WG.exe, uI3eimotW4Oq4gFHK9T.cs High entropy of concatenated method names: 'J6uo1UPZSv', 'fjtoig98Na', 'k07ob3muTV', 'JyNox0VmDy', 'rupogRZVoh', 'cCLoWdH4dw', 'sXJo8Eohon', 'je5oHXcAva', 'PcVoLEQ9Oq', 'IfQornLHQP'
Source: fdsN8iw6WG.exe, i9QFMySCHBaWdaAEyu0.cs High entropy of concatenated method names: 'G0C1kXrCW4', 'ulo1qsq45T', 'oxm1672iY6', 'DwV1BTbhbp', 'Moh1J3XKMe', 'PYY1Y0nlFu', 'csY8F9qajrfVGuvlugfG', 'NUagYUqaVWOg8gn7frvp', 'WQtOXOqaAWFV65PxUSOb', 'pkpwW2qaObNWpdcmxL6Y'
Source: fdsN8iw6WG.exe, ri7Zud6NxZbGmksf19T.cs High entropy of concatenated method names: 'CYd6EFDdQF', 'BE96TmTVpP', 'NKF6t6alEI', 'YwwK00qS08D1Y8osRaHq', 'ySaSXlqSmryyZhKdxHhi', 'jtbU3bqSXwAvNjQggsgC', 'llKxfQqSR7PNdhsmx6w3', 'soOPW5qSMBjpe8WbI9jT'
Source: fdsN8iw6WG.exe, dAP6Xpgy8vIJuOqZDLv.cs High entropy of concatenated method names: 'BVjgf7b1DH', 'k6r', 'ueK', 'QH3', 'HcKgUkXG1h', 'Flush', 'SJHg3nQO3t', 'A2VgDETh3X', 'Write', 'TvQgQlkm6T'
Source: fdsN8iw6WG.exe, OQoj9IMOkj0KoCpQFhE.cs High entropy of concatenated method names: 'pKYMct4XRk', 'Fk0MdFXThu', 'iDSMNIcXkA', 'r17M7FTygR', 'hu0MEEfRuQ', 'rhBSyTqFhvHuXfdjcVT5', 'zgiyyqqF4i5w4AiRHG56', 'aeM2QFqFGxfum2b5UULP', 'H2dDwnqFIHYfTD7UPLZl', 'o8Vjf6qF0Ru0Tkv5nI4q'
Source: fdsN8iw6WG.exe, AhbPDNAmRl1lrDcgYfS.cs High entropy of concatenated method names: 'XiKHyTqLZCVxjDadb3dW', 'WlW1m8qLPYP7QTVXetMy', 'N2cdCWRo2n', 'oE0mbTqLnpoaWh9YPyjn', 'y5QekkqL2aEGmsZgV9Qh', 'o330sKqLFHtp4CyDltbF', 'WMF07UqL9fI1eOM36ln0', 'MBvNqQVufb', 'zagH0xqL5x4EGZs78066', 'xx1mJjqLsZZO63J14Uog'
Source: fdsN8iw6WG.exe, s2qc1ANObZ4TJ24kpbk.cs High entropy of concatenated method names: 'Dispose', 'oHNNcT9kSY', 'M1JNdi8ifs', 'M0LNN9FTpR', 'emcphwqrqqlVOgH3aYXZ', 'csI9bxqr641Sf4ZwkH1P', 'En63uRqrBRZpF9WYbD3p', 'ANb3hmqrJg7JnVperZXK', 'FvBM14qrYh7KgKT8h0K7', 'yJhiRbqrebJtj8cP7Zlf'
Source: fdsN8iw6WG.exe, v9M7p6QkE5ASyWQkyRU.cs High entropy of concatenated method names: 'iQoQJnoy69', 'WfxQYm90YS', 'VWkNf7qoqClp7kMkyYfW', 'cSt3f5qo6rFEsSuyj4db', 'fqLELFqoB6DOmtMv909V', 'ouYnlIqoJi23H3Z6yeHm', 'R48m0dqoYl1DYLoh3loe', 'kAsQ6OMa34', 'Ek7rIKqwCiIhVFcq0vAp', 'CEBcgaqwzooqwWyB7UIv'
Source: fdsN8iw6WG.exe, RxucS9N06J3I2Qc2Cc1.cs High entropy of concatenated method names: 'PMI4chrCqW', 'xGv4dmoqcb', 'CFHVmuqpUWFsvXKe0MlX', 'pJnWloqp5O1jEl3BMoGa', 'EiShSuqpfIO15YG9RKDC', 'iJeKlOqp36fqiT4MQSsF', 'MpbfQhqpDS44SgZR9TEC', 'k0644k8Rvs', 'E2LKT3qpCKZQq2bbid5o', 'hA01tEqpwaA9MHINdvXb'
Source: fdsN8iw6WG.exe, fVe1R1SFtmfJIioVEG3.cs High entropy of concatenated method names: 'p97Sa8dBSx', 'Q2qSsZL2mF', 'FG5SyOqOJF', 'iOBRqjq9UHW8GJEyhVl8', 'bbGBFHq95KQRiiQc9Jge', 'XPhAPFq9f5wUR06aQjfQ', 'TixgmTq93RoXQIE2FiDS', 'YYEkVoq9DMF7QxWTePV1', 'wcZZ8oq9Q9DF4kTXPlVv', 'FWvdAsq9wPv8YgUIN6G1'
Source: fdsN8iw6WG.exe, NxbNCmopUYyGuEtkruw.cs High entropy of concatenated method names: 'V7nqexMpOWC', 'LuBqeghPw0H', 'x9RqeWXd54c', 'Hw2qe88CjL3', 'ULbqeHe140A', 'SKLqeLFiENu', 'TWdqerrrr4r', 'a2PCY6AxUQ', 'pQ5qep4Hr5S', 'VoHqeZV5jXj'
Source: fdsN8iw6WG.exe, KefxYfWy2gd6QiWY0RC.cs High entropy of concatenated method names: 'OwbC8BqfGiE4DkMu8xB8', 'WxlRKDqftw5RFWun4ndh', 'p2htlWqf4LqfHRKIUZMX', 'hguP7gqfhPttfB2dQjad', 'KUaWfPpB4D', 'Mh9', 'method_0', 'jAhWUuACxZ', 'JeuW3ML0Ih', 'e9TWDHa8Ry'
Source: fdsN8iw6WG.exe, va2tx6r2RRYGPfyTd0i.cs High entropy of concatenated method names: 'QUiqVX12sxI', 'Vsir9Xijrl', 'kG1ralGoKY', 'sHFrsiSeCa', 'ioueQSqUp7sRjMP2ZB4p', 'w5wnAdqUZMuk63fYxweQ', 'cHcGAcqUPLASnSctefUS', 'V02WcHqUuXvm4Uddwy56', 'E2S4swqUnvGWIBx3GMbE', 'zApgmpqU2OTPfW9eCYZ7'
Source: fdsN8iw6WG.exe, i22CHNg8VAgxkCHTgsH.cs High entropy of concatenated method names: 'Close', 'qL6', 'bYBgLxDwxv', 'RQWgrZLpGG', 'AXRgpkcwCQ', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
Source: fdsN8iw6WG.exe, es4E36xhvLflKQ8cVpV.cs High entropy of concatenated method names: 'Mc5gdYGbrl', 'pSgPpXq5JRC4joOJ8TbQ', 'NwKKSyq56QknGYvsKV8Y', 'KeMCceq5BxQrCTWrqrRt', 'kt5', 'RGJx0n771C', 'ReadByte', 'get_CanRead', 'get_CanSeek', 'get_CanWrite'
Source: fdsN8iw6WG.exe, jQty41DceDpIm5Ue8KU.cs High entropy of concatenated method names: 'hcsD7RuIXV', 'iLED4g9TGf', 'NshDIBLZi7', 'UtPD0RY0pd', 'GwBDm6F2Bt', 'IPyDXgr0PI', 'xchDRiweAw', 'i5wDMohldI', 'Dispose', 'taTROpqwKweifrX98qab'
Source: fdsN8iw6WG.exe, hy7sDKePfTmw36HiSHy.cs High entropy of concatenated method names: 'buJeD4ns9R', 'nbVeQAX8xS', 'US1ewXVmuO', 'Vy8urXqgAyHnyC93ebhs', 'hZrWqEqgjHvOpBs6OZH4', 'qGZJGQqglSBWDTCyHpE4', 'y7vBCcqgVLexQXLp5Fmo', 'gJYen3sFFm', 'P1we26LUCi', 'NfieF9gZNr'
Source: fdsN8iw6WG.exe, xtdsEKbVZOiNKMuhJN1.cs High entropy of concatenated method names: 'RfKbjQZ9GY', 'vosbO1VO0s', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'nRjbvO8prr', 'method_2', 'uc7'
Source: fdsN8iw6WG.exe, qlOw0ZeWC90JyMIrJXq.cs High entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'NSeqVjDduVT', 'D3IqJqwFuBs', 'Jm8baEqxyDuEOpKWRa5A', 'ufDBHhqx5iaIo91sWptN', 'xNdu6vqxf1r06P5QfCyE'
Source: fdsN8iw6WG.exe, PC0N114U5gAWQJqVWw9.cs High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'KVvqVcvNvph', 'VmlqJFms92O', 'kAhMxqqZiBt7u5YnBF2q', 'i8UBjcqZbgnvyIkoTbin', 'hpli36qZxye1WKnVSmcI', 'xaOsS2qZgn1Uv23qI4vC', 'XjjxgMqZWmjLbUCveZsD'
Source: fdsN8iw6WG.exe, Q3hIox6bZvtV6VlKbc2.cs High entropy of concatenated method names: 'H5F6PURDIf', 'zO26uj7YV8', 'ooXhS7qSZqmlpoPfuaB0', 'j9B7RZqSPIYryxjeLuCK', 'u656nQqSuAkoYl2nI3ue', 'NTF69qaSh8', 'B6KJuPqS2eKTBN2MkLqJ', 'epbn1eqSF32qIqQp7yMI', 'KpAvAHqS9xBHOoC3V7wk', 'pYW6gct8AV'
Source: fdsN8iw6WG.exe, PtTZqmUbawkgTovdKVV.cs High entropy of concatenated method names: 'method_0', 'h59', 'R73', 'qxiUgxUgW0', 'bJmcabqDQiLmsLxiDNGY', 'AeJWoVqDwEkWWd5wNCci', 'g9yZhlqDo2elVO5rG3cu', 'xGyUghqDCXqcuE1BbQEA', 'rieHpfqDzwS6hjvxlkjk', 'lFNa7uqQkZvLOQQHNIt9'
Source: fdsN8iw6WG.exe, Ser513JRNAVTALxlqug.cs High entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'HbnqVBifAal', 'D3IqJqwFuBs', 'DV9gsRqiW9LV5sV76sJy', 'lmCpL9qi8f7qJks7FqFb', 'hopsWrqiHQptfxrVfb1e'
Source: fdsN8iw6WG.exe, HHqrC7rAvmvPRE1QnwG.cs High entropy of concatenated method names: 'ecPrXqXXkg', 'PHwKPGqUM9QJnocKZZlp', 'gOCd1mqUKYRGC4fyTRCV', 'N7jgIcqUXjHIeF9A5N10', 'XvPrf5qUR0SdTi9ZVf9U', 'vNU6VfqUSgAGuYijBqxV', 'IPy', 'method_0', 'method_1', 'method_2'
Source: fdsN8iw6WG.exe, KJGFmyhqDtSxl9UOGDo.cs High entropy of concatenated method names: 'rC9', 'method_0', 'lKQqV4KnkYM', 'dJxqVGoKtFk', 'l2D3r0qPy2emTRs2q1q9', 'M4FELHqP5TsInKv4ZHUD', 'HPtBH9qPfRuxqjHOwCQi', 'pmXLxoqPUEfLlQpym42w', 'eraDjvqP3impOKRnltoy', 'VAYX7vqPDflcRWxEJJan'
Source: fdsN8iw6WG.exe, kUhiBspQOm7LLL44pZ2.cs High entropy of concatenated method names: 'I9npoqJqOl', 'cNLpCojD24', 'XOBpztV7F1', 'sG2Zk9Qor6', 'HbVZqfMHGY', 'vULZ6i2Q8l', 'PNqZByZ2PE', 'D0DZJTgnxD', 'vuNZYLRBFr', 'x6RZeZGiht'

Persistence and Installation Behavior
barindex
Creates processes via WMI
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Infects executable files (exe, dll, sys, html)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe System file written: C:\Windows\System32\SecurityHealthSystray.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File created: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File created: C:\Users\user\Desktop\qcbjycVR.log Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File created: C:\Program Files\Microsoft\sihost.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Windows\System32\SecurityHealthSystray.exe Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File created: C:\Users\user\Desktop\nASSbBeV.log Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File created: C:\Users\user\Desktop\PvOoeAES.log Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File created: C:\Users\user\Desktop\YehEOcJA.log Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File created: C:\Users\user\Desktop\FMuYuXzk.log Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File created: C:\Users\user\Desktop\iMBUyFOh.log Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File created: C:\Users\user\dEhCbXEAIUCUplvbdoWVtmGx.exe Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File created: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File created: C:\Users\user\Desktop\eWKdrIOo.log Jump to dropped file
Drops PE files to the user directory
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File created: C:\Users\user\dEhCbXEAIUCUplvbdoWVtmGx.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Windows\System32\SecurityHealthSystray.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File created: C:\Users\user\Desktop\qcbjycVR.log Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File created: C:\Users\user\Desktop\iMBUyFOh.log Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File created: C:\Users\user\Desktop\YehEOcJA.log Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File created: C:\Users\user\Desktop\PvOoeAES.log Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File created: C:\Users\user\Desktop\FMuYuXzk.log Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File created: C:\Users\user\Desktop\nASSbBeV.log Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File created: C:\Users\user\Desktop\eWKdrIOo.log Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Creates multiple autostart registry keys
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fdsN8iw6WG Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dEhCbXEAIUCUplvbdoWVtmGx Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sihost Jump to behavior
Drops PE files to the user root directory
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File created: C:\Users\user\dEhCbXEAIUCUplvbdoWVtmGx.exe Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sihost Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sihost Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dEhCbXEAIUCUplvbdoWVtmGx Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dEhCbXEAIUCUplvbdoWVtmGx Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dEhCbXEAIUCUplvbdoWVtmGx Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dEhCbXEAIUCUplvbdoWVtmGx Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fdsN8iw6WG Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fdsN8iw6WG Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fdsN8iw6WG Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fdsN8iw6WG Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dEhCbXEAIUCUplvbdoWVtmGx Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dEhCbXEAIUCUplvbdoWVtmGx Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dEhCbXEAIUCUplvbdoWVtmGx Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dEhCbXEAIUCUplvbdoWVtmGx Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dEhCbXEAIUCUplvbdoWVtmGx Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dEhCbXEAIUCUplvbdoWVtmGx Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Memory allocated: 1570000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Memory allocated: 1AFC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Memory allocated: EE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Memory allocated: 1AB10000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Memory allocated: 15A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Memory allocated: 1B100000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Memory allocated: 12A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Memory allocated: 1ADD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Memory allocated: B40000 memory reserve | memory write watch
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Memory allocated: 1A5F0000 memory reserve | memory write watch
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Memory allocated: B50000 memory reserve | memory write watch
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Memory allocated: 1AA20000 memory reserve | memory write watch
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Memory allocated: 1620000 memory reserve | memory write watch
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Memory allocated: 1B1F0000 memory reserve | memory write watch
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Memory allocated: 32B0000 memory reserve | memory write watch
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Memory allocated: 1B2B0000 memory reserve | memory write watch
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Memory allocated: 7E0000 memory reserve | memory write watch
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Memory allocated: 1A6A0000 memory reserve | memory write watch
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Memory allocated: 680000 memory reserve | memory write watch
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Memory allocated: 1A450000 memory reserve | memory write watch
Source: C:\Program Files\Microsoft\sihost.exe Memory allocated: 2530000 memory reserve | memory write watch
Source: C:\Program Files\Microsoft\sihost.exe Memory allocated: 1A730000 memory reserve | memory write watch
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Memory allocated: 13C0000 memory reserve | memory write watch
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Memory allocated: 1B070000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Microsoft\sihost.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9747
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9749
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9734
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9641
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9421
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9716
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Dropped PE file which has not been started: C:\Users\user\Desktop\qcbjycVR.log Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Dropped PE file which has not been started: C:\Users\user\Desktop\nASSbBeV.log Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Dropped PE file which has not been started: C:\Users\user\Desktop\PvOoeAES.log Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Dropped PE file which has not been started: C:\Users\user\Desktop\YehEOcJA.log Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Dropped PE file which has not been started: C:\Users\user\Desktop\FMuYuXzk.log Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Dropped PE file which has not been started: C:\Users\user\Desktop\iMBUyFOh.log Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Dropped PE file which has not been started: C:\Users\user\Desktop\eWKdrIOo.log Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe TID: 6532 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe TID: 2380 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe TID: 3116 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe TID: 2612 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7360 Thread sleep count: 9747 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7716 Thread sleep time: -22136092888451448s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7372 Thread sleep count: 9749 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7712 Thread sleep time: -22136092888451448s >= -30000s
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe TID: 5388 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7352 Thread sleep count: 9734 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7708 Thread sleep time: -21213755684765971s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7364 Thread sleep count: 9641 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7696 Thread sleep time: -22136092888451448s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7348 Thread sleep count: 80 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7332 Thread sleep count: 9421 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7704 Thread sleep time: -21213755684765971s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7336 Thread sleep count: 321 > 30
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe TID: 4336 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7368 Thread sleep count: 9716 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7700 Thread sleep time: -21213755684765971s >= -30000s
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe TID: 1480 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe TID: 7080 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe TID: 7180 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe TID: 7860 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Microsoft\sihost.exe TID: 7948 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe TID: 1812 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Microsoft\sihost.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Microsoft\sihost.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: w32tm.exe, 00000033.00000002.2331757964.000001F5ACDC9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process token adjusted: Debug
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Process token adjusted: Debug
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Process token adjusted: Debug
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\sihost.exe'
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe'
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\dEhCbXEAIUCUplvbdoWVtmGx.exe'
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe'
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fdsN8iw6WG.exe'
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe' Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe' Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\dEhCbXEAIUCUplvbdoWVtmGx.exe' Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe' Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fdsN8iw6WG.exe' Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\diacazft\diacazft.cmdline" Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\khjlbg4u\khjlbg4u.cmdline" Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe' Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe' Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\dEhCbXEAIUCUplvbdoWVtmGx.exe' Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe' Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fdsN8iw6WG.exe' Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\V10Cviyryl.bat" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES34F8.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC13EEC4598AE74082ADE16A1F2183AE80.TMP" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES38D0.tmp" "c:\Windows\System32\CSC8295EB2BCC8D4700AEF6D1253A133871.TMP" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe "C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe"
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Queries volume information: C:\Users\user\Desktop\fdsN8iw6WG.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Queries volume information: C:\Program Files\Microsoft\sihost.exe VolumeInformation Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe Queries volume information: C:\Program Files\Microsoft\sihost.exe VolumeInformation Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Queries volume information: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Queries volume information: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Queries volume information: C:\Users\user\Desktop\fdsN8iw6WG.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Queries volume information: C:\Users\user\Desktop\fdsN8iw6WG.exe VolumeInformation
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Queries volume information: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe VolumeInformation
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe Queries volume information: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Queries volume information: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe VolumeInformation
Source: C:\Program Files\Microsoft\sihost.exe Queries volume information: C:\Program Files\Microsoft\sihost.exe VolumeInformation
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe Queries volume information: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe VolumeInformation
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected DCRat
Source: Yara match File source: 00000000.00000002.2282454452.000000001306D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: fdsN8iw6WG.exe PID: 5652, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sihost.exe PID: 5808, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: fdsN8iw6WG.exe, type: SAMPLE
Source: Yara match File source: 0.0.fdsN8iw6WG.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.2119928328.0000000000B52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Microsoft\sihost.exe, type: DROPPED
Yara detected zgRAT
Source: Yara match File source: fdsN8iw6WG.exe, type: SAMPLE
Source: Yara match File source: 0.0.fdsN8iw6WG.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Microsoft\sihost.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected DCRat
Source: Yara match File source: 00000000.00000002.2282454452.000000001306D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: fdsN8iw6WG.exe PID: 5652, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sihost.exe PID: 5808, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: fdsN8iw6WG.exe, type: SAMPLE
Source: Yara match File source: 0.0.fdsN8iw6WG.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.2119928328.0000000000B52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Microsoft\sihost.exe, type: DROPPED
Yara detected zgRAT
Source: Yara match File source: fdsN8iw6WG.exe, type: SAMPLE
Source: Yara match File source: 0.0.fdsN8iw6WG.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Microsoft\sihost.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1526016 Sample: fdsN8iw6WG.exe Startdate: 04/10/2024 Architecture: WINDOWS Score: 100 60 Suricata IDS alerts for network traffic 2->60 62 Found malware configuration 2->62 64 Antivirus detection for dropped file 2->64 66 14 other signatures 2->66 8 fdsN8iw6WG.exe 10 40 2->8         started        12 sihost.exe 2 2->12         started        14 dEhCbXEAIUCUplvbdoWVtmGx.exe 3 2->14         started        16 8 other processes 2->16 process3 file4 52 C:\Users\user\dEhCbXEAIUCUplvbdoWVtmGx.exe, PE32 8->52 dropped 54 C:\Users\user\Desktop\qcbjycVR.log, PE32 8->54 dropped 56 C:\Users\user\Desktop\nASSbBeV.log, PE32 8->56 dropped 58 14 other malicious files 8->58 dropped 72 Creates an undocumented autostart registry key 8->72 74 Creates multiple autostart registry keys 8->74 76 Drops PE files to the user root directory 8->76 78 2 other signatures 8->78 18 csc.exe 4 8->18         started        22 csc.exe 4 8->22         started        24 powershell.exe 8->24         started        26 6 other processes 8->26 signatures5 process6 file7 48 C:\Program Files (x86)\...\msedge.exe, PE32 18->48 dropped 68 Infects executable files (exe, dll, sys, html) 18->68 28 conhost.exe 18->28         started        30 cvtres.exe 1 18->30         started        50 C:\Windows\...\SecurityHealthSystray.exe, PE32 22->50 dropped 32 conhost.exe 22->32         started        34 cvtres.exe 1 22->34         started        70 Loading BitLocker PowerShell Module 24->70 36 conhost.exe 24->36         started        38 conhost.exe 26->38         started        40 conhost.exe 26->40         started        42 conhost.exe 26->42         started        44 6 other processes 26->44 signatures8 process9 process10 46 Conhost.exe 38->46         started       
No contacted IP infos