Windows Analysis Report
KxgGGaiW3E.exe

Overview

General Information

Sample name: KxgGGaiW3E.exe
renamed because original name is a hash value
Original sample name: eb0beafcb365cd20eb00ff9e19b73232.exe
Analysis ID: 1430591
MD5: eb0beafcb365cd20eb00ff9e19b73232
SHA1: 1a4470109418e1110588d52851e320ecefcba7de
SHA256: 31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99
Tags: 64exe
Infos:

Detection

Quasar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Yara detected Quasar RAT
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses regedit.exe to modify the Windows registry
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Quasar RAT, QuasarRAT Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
 https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

AV Detection
barindex
Found malware configuration
Source: 19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "185.196.10.233:4782;", "SubDirectory": "gfgfgf", "InstallName": "gfdgfdg.exe", "MutexName": "b0fcdfbd-bdd4-4a5d-8ab1-7217539d4db6", "StartupKey": "fgfdhdgg", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "sLgsAfL2UUP6AlkFtdbXqluoDW3wMwZMc5jX/AEQ95yeOqJ/mDe6i6lW/m64mbhn2G3vN2d4I8Qtdsrk2BNrFgrax6KY4LwvCADg4iWu0OQObYe1kIVp1F920nP6DUrentMm6n8M1g8s0yh5HdxXXephIuo4I5YYucMt7gcLshmgAYmxg6+d/d0YKS2VeOfF2/u6r+XgU+ilIVnN+9UjjlZXvAheUXkEbG8ebP7qHAv/DAgmZBOJhfTnATX3mUUEEUqS3oJGqmX2s1j7k/+49o+l7SkZ42evs7mYtKNHm72CJqu0rqg9V2fm/gprhNvvqjOjmmKr+R9u3Fp2aS1qKKaaAUFd9QfBv7ZfmM8EaTUMi/saY/FxjvvLvxFxwqubJ96oCdONVu5DE/Q5zOby9y9ed9I3Jkp9FtwBnOQym4e0iVii1wCUXkpolBSyPGUp5GQdoCJDYndo9z2VBzLLEHDgAGBMmlglK/7uri3vB4faJObyyfsLSBNl0Ig/nKkRBiAIzPRxuLbPAo/YbPRJhWm5slo8SnnRihxPzjpbhTpHvilpqsdx1vxwo+c7vKPgi/zfrelosnaoPnp16aKmYfNzXQyJryygd3ApTPltaPEH9bBtU327kpGeGOHwaDC6JnN3RpAbgLnKYsUR9pzQmwxFsQF//cKI40pEDtA4myQ=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAMRnhbg+tJFMr/86nUEYyTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDMyMzAxMzgxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwbGZcqqvx4MOD4A+auAj/30nYgYK34sYaSqurPhQwOXONfWAFNMkPIlxW0gpPAfJ2VwEMcNiYAaFbOZCngmVn0Xs8buiLjvm67cg4zrMGtYkYjiofES6yH34I8VwCt1GNtgBAf+kfE4gnEzinTK/l1YX2iPSHjuUu7Ekdhr7Obgw09xCg05N3vgnu42Cyal6/uiIsjdTMsohcFHXrWTO/i+IIBNzP8Q1e7BkbOy59bM7xGIwHGjTx/eOLz76bqQXnedrCVKsWHkqaNikulKHEaOns6rUSMDf2wtiSGJ58PMU30KRR2G0G+KCeFzA5PvZSq32yrCGrTA1x9DoN6bLMWyVDYzsYlJrrYddlOcWp8IagnQYnPK+JZa+XKXKcJ9dkUgY4s7OySY82nQUtYG6jQFXAcIhOQFJUGp5/vbT35jBrBWUc0fiEUV0p+I1q07x7uUGwvuVIJsUgktViS0PSMFjSe08Xjr6rIgQM6yCnZwuh6FhbQrMxS3OB6h2Zh5lXpHUbBiTRUvWftjSp0kvFO4k08eVH7pRgRw8CJ7mj12TRUHi6zbZFjp9m98J7F6mZdbKk1SaiyZjbLvd30qQSq9VWpobo46l6sNVn1xGc25lEpvPm8dDccO/8OtvpQlqQ7sM4xKPpdnTFbgZZUibvJ2Sk1pN1zdxZLX1b1E3Ox0CAwEAAaMyMDAwHQYDVR0OBBYEFBWQtAUwfS2z8ujHYJdbIU1+U+9wMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAJre53r+uS0wgiLip0IQTosVSn3Dzmz9buiIfxIDSByi2wkWYKrIvBpg7VgjRsoEpNfayUfl+giSoqLTWpyX6IWVZrfG6dUeDD8inVEcjS+Szru/lZBx9IQph9jhoAaHnBTpIiuJ6CGELXwOa4iCjbbVLtPlBZEk2dIohOPkQBNmjp+aL/QHv5uqRJPeW4bfTt/v10JqaGKvwDURf/zRdxejlASpICX+mrTfcnJQHf2q29OeTtzI2dEKlZuraeZOQ2L9+BBdoVUHbPD4J9tkzfyPnTpkwwqJFhVBAuZWYnMGC0kqLPUcw3GRoEL7rjSVJbWZMZjox+oNwa99JO673IFf5ujY2yJTHJPk6q4i3D0j2EJfS0yu6NsW17AcsTxGXcyg+4iL3ytjitetS2GpDMdhCvm1cetZXskrnwMCHjSXp2vpbxQALftGpY9B/ALQHqneAG2qOJoXyoqIp7E3KdKgMYx3JlCUwuyHsY9qBjUu2oQwhL8LopB1kUOhzcKYWmI2BBit+h8AVTKM+7DlepxFvA/hijqUVwHMPZTZYWfJwSEk4mZW8IyYzeEOQzvCtaRIbaTMPmW9M9P7PqCMyqs/YBmejvT2YEXKyhFnpdL0AC0O3rEsia6qRH7qHLQ19AyyuDscYUc4T54dvUxmAEqErMbjwSMoMhSNVBBIVWeN"}
Yara detected Quasar RAT
Source: Yara match File source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.KxgGGaiW3E.exe.20599dba870.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000019.00000002.3309899452.0000000007E66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2488394877.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2184893054.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3307610797.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2488394877.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2184893054.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3307610797.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2117583475.000002B6955C1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2117583475.000002B695FC1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2407170841.0000017BEF8E1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2435090839.0000020599B21000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2435090839.000002059A521000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2407170841.0000017BEEEE1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: KxgGGaiW3E.exe PID: 6612, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ngen.exe PID: 4204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: KxgGGaiW3E.exe PID: 7424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 7516, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: KxgGGaiW3E.exe PID: 2428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ilasm.exe PID: 7372, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wmplayer.exe PID: 4408, type: MEMORYSTR
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 HTTP Parser: No favicon
Source: unknown HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 15.204.213.5:443 -> 192.168.2.5:49804 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49824 version: TLS 1.2
Source: KxgGGaiW3E.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 185.196.10.233:4782 -> 192.168.2.5:49803
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 185.196.10.233
Yara detected Generic Downloader
Source: Yara match File source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49803 -> 185.196.10.233:4782
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 13.107.213.41 13.107.213.41
Source: Joe Sandbox View IP Address: 63.140.39.35 63.140.39.35
Source: Joe Sandbox View IP Address: 185.196.10.233 185.196.10.233
Source: Joe Sandbox View IP Address: 185.196.10.233 185.196.10.233
Source: Joe Sandbox View IP Address: 15.204.213.5 15.204.213.5
Source: Joe Sandbox View IP Address: 15.204.213.5 15.204.213.5
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SIMPLECARRIERCH SIMPLECARRIERCH
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /mscc/lib/v2/wcp-consent.js HTTP/1.1Host: wcpstatic.microsoft.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /scripts/c/ms.jsll-3.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=y8N7c1Y4naP4LXT&MD=bDMVUy3y HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /rest/v1/delivery?client=microsoftmscompoc&sessionId=fa5c231aaf8548e19d78d3d55f8a49a5&version=2.9.0 HTTP/1.1Host: target.microsoft.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: MSCC=NR; at_check=true; mbox=session#fa5c231aaf8548e19d78d3d55f8a49a5#1713908005|PC#fa5c231aaf8548e19d78d3d55f8a49a5.34_0#1748086145
Source: global traffic HTTP traffic detected: GET /rest/v1/delivery?client=microsoftmscompoc&sessionId=fa5c231aaf8548e19d78d3d55f8a49a5&version=2.9.0 HTTP/1.1Host: target.microsoft.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: MSCC=NR; at_check=true; MUID=0D19E9F3C251654A0877FD99C65163F5; MC1=GUID=80693ed0956b4d3bbf5854ef5432e609&HASH=8069&LV=202404&V=4&LU=1713906147888; MS0=05ae0c6c5ce74d35a7fe10439902c322; mbox=session#fa5c231aaf8548e19d78d3d55f8a49a5#1713908009|PC#fa5c231aaf8548e19d78d3d55f8a49a5.34_0#1748086149
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=y8N7c1Y4naP4LXT&MD=bDMVUy3y HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: chromecache_136.9.dr String found in binary or memory: href="https://www.linkedin.com/cws/share?url=${encodeURIComponent(t)}&text=${encodeURIComponent(BC.replace("{credentialName}",e.title))}" equals www.linkedin.com (Linkedin)
Source: chromecache_136.9.dr String found in binary or memory: href="https://www.facebook.com/sharer/sharer.php?u=${s}" equals www.facebook.com (Facebook)
Source: chromecache_136.9.dr String found in binary or memory: href="https://www.linkedin.com/cws/share?url=${s}" equals www.linkedin.com (Linkedin)
Source: chromecache_136.9.dr String found in binary or memory: </div>`;v(t,e)}}function pR(e){T.documentElement.classList.add("api-search-has-results");for(let{container:t}of rS)t.textContent=e}function HSe(){T.documentElement.classList.remove("api-search-has-results");for(let{container:e}of rS)e.innerHTML=""}function f3e(e,t){let o=bt(),n,r;if(o==="")n=Qr[Bt].displayName,r=null;else{let a=t.packagesByMoniker[o];n=a.product.displayName,r=a.versionDisplayName}let s=T.createElement("h2");s.classList.add("api-search-results-heading","font-size-h3");let i=d`${uR.resultsHeadingTemplate.replace("{platformName}",n)}`;if(v(i,s),r!==null&&Bt==="rest"){let a=d`${H(`${Ve(o)} REST ${uR.resultsHeadingTemplate.replace("{platformName}",n)}`)}`;v(a,s)}else if(r!==null){let a=d`${H(`${uR.resultsHeadingTemplate.replace("{platformName}",n)} <span class="moniker-version">version ${Ve(r)}</span>`)}`;v(a,s)}e.appendChild(s)}function z2(e,t){if(t!==""&&!/[?&]view=/i.test(e)){let[n,r]=e.split("#");r=r===void 0?"":"#"+r,e=Bt==="rest"?`${n}${r}`:`${n}?view=${encodeURIComponent(t)}${r}`}let o=new URL(e,location.origin);return e=`${o.pathname}${o.search}${o.hash}`,Bt!=="rest"&&(e=`/${h.data.userLocale}${e}`),e}var zf="api-search-term-changed",q_="";function Gf(){return q_}function G2(e){e=e.trim(),e!==q_&&(q_=e,h.data.pageTemplate==="ApiBrowserPage"&&It({term:q_},"pushState"),window.dispatchEvent(new CustomEvent(zf,{detail:{term:q_}})))}function BSe(){let e=ee().term;return e===void 0?"":e.trim()}h.data.pageTemplate==="ApiBrowserPage"&&(q_=BSe(),window.addEventListener("popstate",()=>G2(BSe())));function zSe(){O.addEventListener(zf,V2),O.addEventListener(as,V2),h.data.pageTemplate==="ApiBrowserPage"&&V2()}var mR="";function V2(){let e=Gf(),t=bt(),o=`${e}/${t}`;return o===mR?Promise.resolve():(mR=o,h.data.pageTemplate==="ApiBrowserPage"&&t!==""&&e===""?(B2(),Promise.all([FSe(Bt,t,h.data.userLocale),Xl()]).then(([n,r])=>{if(o===mR){if(n.apiItems.length===0){pR(Tn);return}dR(r,n.apiItems,null)}},()=>{pR(wD)})):e.length<3?(HSe(),Promise.resolve()):Qr[Bt].validSearchTerm.test(e)?(B2(),Promise.all([cR(Bt,t,e,h.data.userLocale),Xl()]).then(([n,r])=>{o===mR&&(Y2(t,e,n.results.length),dR(r,n.results,n["@nextLink"]))},()=>{pR(wD)})):Xl().then(n=>dR(n,[],null)))}function Y2(e,t,o){Ue({actionType:He.OTHER,behavior:ye.SEARCH,content:{event:"api-browser-search",platform:Bt,moniker:e,term:t,results:o}})}var GSe="api-search-field";function VSe(){let e=T.createElement("form");e.classList.add(GSe,"margin-top-xxs"),e.setAttribute(Lo.name,GSe),e.action="javascript:",e.addEventListener("submit",l=>l.preventDefault());let t=T.createElement("label"),o=T.createElement("span");o.classList.add("visually-hidden"),o.textContent=xo,t.appendChild(o),e.appendChild(t);let n=T.createElement("input");n.type="search",n.classList.add("input","input-lg","padding-right-sm"),n.value=Gf(),n.placeholder=xo,t.appendChild(n);let r=T.createElement("a");r.href="#",r.title=g9,r.classList.add("clear"),r.addEventListener("click",l=>{l.preventDefault(),n.value="",n.dispatchEvent(ne
Source: chromecache_136.9.dr String found in binary or memory: </div>`;v(t,e)}}function pR(e){T.documentElement.classList.add("api-search-has-results");for(let{container:t}of rS)t.textContent=e}function HSe(){T.documentElement.classList.remove("api-search-has-results");for(let{container:e}of rS)e.innerHTML=""}function f3e(e,t){let o=bt(),n,r;if(o==="")n=Qr[Bt].displayName,r=null;else{let a=t.packagesByMoniker[o];n=a.product.displayName,r=a.versionDisplayName}let s=T.createElement("h2");s.classList.add("api-search-results-heading","font-size-h3");let i=d`${uR.resultsHeadingTemplate.replace("{platformName}",n)}`;if(v(i,s),r!==null&&Bt==="rest"){let a=d`${H(`${Ve(o)} REST ${uR.resultsHeadingTemplate.replace("{platformName}",n)}`)}`;v(a,s)}else if(r!==null){let a=d`${H(`${uR.resultsHeadingTemplate.replace("{platformName}",n)} <span class="moniker-version">version ${Ve(r)}</span>`)}`;v(a,s)}e.appendChild(s)}function z2(e,t){if(t!==""&&!/[?&]view=/i.test(e)){let[n,r]=e.split("#");r=r===void 0?"":"#"+r,e=Bt==="rest"?`${n}${r}`:`${n}?view=${encodeURIComponent(t)}${r}`}let o=new URL(e,location.origin);return e=`${o.pathname}${o.search}${o.hash}`,Bt!=="rest"&&(e=`/${h.data.userLocale}${e}`),e}var zf="api-search-term-changed",q_="";function Gf(){return q_}function G2(e){e=e.trim(),e!==q_&&(q_=e,h.data.pageTemplate==="ApiBrowserPage"&&It({term:q_},"pushState"),window.dispatchEvent(new CustomEvent(zf,{detail:{term:q_}})))}function BSe(){let e=ee().term;return e===void 0?"":e.trim()}h.data.pageTemplate==="ApiBrowserPage"&&(q_=BSe(),window.addEventListener("popstate",()=>G2(BSe())));function zSe(){O.addEventListener(zf,V2),O.addEventListener(as,V2),h.data.pageTemplate==="ApiBrowserPage"&&V2()}var mR="";function V2(){let e=Gf(),t=bt(),o=`${e}/${t}`;return o===mR?Promise.resolve():(mR=o,h.data.pageTemplate==="ApiBrowserPage"&&t!==""&&e===""?(B2(),Promise.all([FSe(Bt,t,h.data.userLocale),Xl()]).then(([n,r])=>{if(o===mR){if(n.apiItems.length===0){pR(Tn);return}dR(r,n.apiItems,null)}},()=>{pR(wD)})):e.length<3?(HSe(),Promise.resolve()):Qr[Bt].validSearchTerm.test(e)?(B2(),Promise.all([cR(Bt,t,e,h.data.userLocale),Xl()]).then(([n,r])=>{o===mR&&(Y2(t,e,n.results.length),dR(r,n.results,n["@nextLink"]))},()=>{pR(wD)})):Xl().then(n=>dR(n,[],null)))}function Y2(e,t,o){Ue({actionType:He.OTHER,behavior:ye.SEARCH,content:{event:"api-browser-search",platform:Bt,moniker:e,term:t,results:o}})}var GSe="api-search-field";function VSe(){let e=T.createElement("form");e.classList.add(GSe,"margin-top-xxs"),e.setAttribute(Lo.name,GSe),e.action="javascript:",e.addEventListener("submit",l=>l.preventDefault());let t=T.createElement("label"),o=T.createElement("span");o.classList.add("visually-hidden"),o.textContent=xo,t.appendChild(o),e.appendChild(t);let n=T.createElement("input");n.type="search",n.classList.add("input","input-lg","padding-right-sm"),n.value=Gf(),n.placeholder=xo,t.appendChild(n);let r=T.createElement("a");r.href="#",r.title=g9,r.classList.add("clear"),r.addEventListener("click",l=>{l.preventDefault(),n.value="",n.dispatchEvent(ne
Source: chromecache_136.9.dr String found in binary or memory: </div>`;v(t,e)}}function pR(e){T.documentElement.classList.add("api-search-has-results");for(let{container:t}of rS)t.textContent=e}function HSe(){T.documentElement.classList.remove("api-search-has-results");for(let{container:e}of rS)e.innerHTML=""}function f3e(e,t){let o=bt(),n,r;if(o==="")n=Qr[Bt].displayName,r=null;else{let a=t.packagesByMoniker[o];n=a.product.displayName,r=a.versionDisplayName}let s=T.createElement("h2");s.classList.add("api-search-results-heading","font-size-h3");let i=d`${uR.resultsHeadingTemplate.replace("{platformName}",n)}`;if(v(i,s),r!==null&&Bt==="rest"){let a=d`${H(`${Ve(o)} REST ${uR.resultsHeadingTemplate.replace("{platformName}",n)}`)}`;v(a,s)}else if(r!==null){let a=d`${H(`${uR.resultsHeadingTemplate.replace("{platformName}",n)} <span class="moniker-version">version ${Ve(r)}</span>`)}`;v(a,s)}e.appendChild(s)}function z2(e,t){if(t!==""&&!/[?&]view=/i.test(e)){let[n,r]=e.split("#");r=r===void 0?"":"#"+r,e=Bt==="rest"?`${n}${r}`:`${n}?view=${encodeURIComponent(t)}${r}`}let o=new URL(e,location.origin);return e=`${o.pathname}${o.search}${o.hash}`,Bt!=="rest"&&(e=`/${h.data.userLocale}${e}`),e}var zf="api-search-term-changed",q_="";function Gf(){return q_}function G2(e){e=e.trim(),e!==q_&&(q_=e,h.data.pageTemplate==="ApiBrowserPage"&&It({term:q_},"pushState"),window.dispatchEvent(new CustomEvent(zf,{detail:{term:q_}})))}function BSe(){let e=ee().term;return e===void 0?"":e.trim()}h.data.pageTemplate==="ApiBrowserPage"&&(q_=BSe(),window.addEventListener("popstate",()=>G2(BSe())));function zSe(){O.addEventListener(zf,V2),O.addEventListener(as,V2),h.data.pageTemplate==="ApiBrowserPage"&&V2()}var mR="";function V2(){let e=Gf(),t=bt(),o=`${e}/${t}`;return o===mR?Promise.resolve():(mR=o,h.data.pageTemplate==="ApiBrowserPage"&&t!==""&&e===""?(B2(),Promise.all([FSe(Bt,t,h.data.userLocale),Xl()]).then(([n,r])=>{if(o===mR){if(n.apiItems.length===0){pR(Tn);return}dR(r,n.apiItems,null)}},()=>{pR(wD)})):e.length<3?(HSe(),Promise.resolve()):Qr[Bt].validSearchTerm.test(e)?(B2(),Promise.all([cR(Bt,t,e,h.data.userLocale),Xl()]).then(([n,r])=>{o===mR&&(Y2(t,e,n.results.length),dR(r,n.results,n["@nextLink"]))},()=>{pR(wD)})):Xl().then(n=>dR(n,[],null)))}function Y2(e,t,o){Ue({actionType:He.OTHER,behavior:ye.SEARCH,content:{event:"api-browser-search",platform:Bt,moniker:e,term:t,results:o}})}var GSe="api-search-field";function VSe(){let e=T.createElement("form");e.classList.add(GSe,"margin-top-xxs"),e.setAttribute(Lo.name,GSe),e.action="javascript:",e.addEventListener("submit",l=>l.preventDefault());let t=T.createElement("label"),o=T.createElement("span");o.classList.add("visually-hidden"),o.textContent=xo,t.appendChild(o),e.appendChild(t);let n=T.createElement("input");n.type="search",n.classList.add("input","input-lg","padding-right-sm"),n.value=Gf(),n.placeholder=xo,t.appendChild(n);let r=T.createElement("a");r.href="#",r.title=g9,r.classList.add("clear"),r.addEventListener("click",l=>{l.preventDefault(),n.value="",n.dispatchEvent(ne
Source: chromecache_136.9.dr String found in binary or memory: </div>`}function jGe(e){return e.authenticationModes?e.authenticationModes.map(t=>t.type).includes("MSA"):!1}function QGe(e){let t=e.authenticationModes.find(o=>o.type==="MSA");return t?t.upn:null}function WGe(e){let t=e.authenticationModes.find(o=>o.type==="AAD");return t?t.upn:null}function KGe(e,t,o){return t??(Xt(e.email)?o:e.email)??""}function Zwe(e){let t=jGe(e),o=t?QGe(e):null,n=t?null:WGe(e),r=KGe(e,o,n);return[t,r]}function JGe(e,t){let[o,n]=Zwe(t);if(o){let i=e.querySelector("#report-msa-email-account");i.innerText=n}let r=e.querySelector("#opt-into-email-checkbox"),s=e.querySelector("#submitter-info");r.addEventListener("change",()=>{r.checked?s.hidden=!1:s.hidden=!0})}function XGe(e){if(!e)return;let t=e.querySelector("#select-reason"),o=e.querySelector("#other-reason-textarea-container"),n=o.querySelector("textarea");!t||!o||!n||(t.value==="Other"&&(o.hidden=!1,n.required=!0),t.addEventListener("change",()=>{t.value==="Other"||t.value==="14"?(o.hidden=!1,n.required=!0,n.disabled=!1):(o.hidden=!0,n.required=!1,n.disabled=!0)}))}var uo;function eEe(){let e=document.getElementById("share-to-linkedin-profile");e&&e.addEventListener("click",t=>{let o=t.currentTarget,n=JSON.parse(o.dataset.credential),r=document.createElement("div"),s=ZGe(n);v(s,r),uo=new pe(r),uo.show();let i=document.getElementById("share-to-feed-button"),a=document.getElementById("linkedin-feed-message"),l=new URL(decodeURI(i.getAttribute("href")));a.onchange=()=>{l.searchParams.set("text",a.value),i.setAttribute("href",l.toString())}})}function ZGe(e){let t=encodeURI(`https://${location.host}/api/credentials/share/${h.data.userLocale}/${S.userName}/${e?.credentialId}?sharingId=${S.sharingId}`),o=1035,n=i=>new Date(i).getFullYear(),r=i=>new Date(i).getMonth()+1,s=encodeURI(`https://www.linkedin.com/profile/add?startTask=CERTIFICATION_NAME&name=${e.title}&organizationId=${o}&issueYear=${n(e.awardedOn)}&issueMonth=${r(e.awardedOn)}&expirationYear=${e.expiresOn?n(e.expiresOn):""}&expirationMonth=${e.expiresOn?r(e.expiresOn):""}&certUrl=${t}&certId=${e.credentialId}&skills=${e.skills?`${e.skills.map(i=>encodeURIComponent(i)).join(",")}`:""}`);return d` equals www.linkedin.com (Linkedin)
Source: unknown DNS traffic detected: queries for: www.google.com
Source: unknown HTTP traffic detected: POST /rest/v1/delivery?client=microsoftmscompoc&sessionId=fa5c231aaf8548e19d78d3d55f8a49a5&version=2.9.0 HTTP/1.1Host: target.microsoft.comConnection: keep-aliveContent-Length: 1051sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: text/plainAccept: */*Origin: https://learn.microsoft.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: MSCC=NR; at_check=true; mbox=session#fa5c231aaf8548e19d78d3d55f8a49a5#1713908004
Source: svchost.exe, 00000008.00000002.3310972425.000001E435800000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: ilasm.exe, 00000019.00000002.3309009758.0000000005CDB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: ilasm.exe, 00000019.00000002.3309009758.0000000005CDB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: qmgr.db.8.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.8.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.8.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.8.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.8.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000008.00000002.3309868459.000001E430B02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2804233313.000001E435602000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3311267298.000001E435862000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/an2dmhqv5igncgwzelkqyugk5q_2024.4.19.0/go
Source: qmgr.db.8.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000008.00000002.3311410260.000001E4358C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com:80
Source: svchost.exe, 00000008.00000002.3311079208.000001E43582F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com:80/edgedl/release2/chrome_component/an2dmhqv5igncgwzelkqyugk5q_2024.4.19.0
Source: qmgr.db.8.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: ilasm.exe, 00000019.00000002.3309899452.0000000007E19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ipwho.is
Source: ilasm.exe, 00000019.00000002.3309899452.0000000007E19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ipwho.isd
Source: chromecache_146.9.dr String found in binary or memory: http://schema.org/Organization
Source: ilasm.exe, 00000019.00000002.3309899452.0000000007E66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: ilasm.exe, 00000019.00000002.3309899452.0000000007E66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/d
Source: svchost.exe, 00000008.00000002.3311162257.000001E435859000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.microst.
Source: KxgGGaiW3E.exe, 00000000.00000000.2054022360.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B694BC1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEE4E1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000000.2257574944.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, KxgGGaiW3E.exe, 00000013.00000000.2339412679.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.0000020599121000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2441256177.00007FF703303000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: KxgGGaiW3E.exe, 00000000.00000000.2054022360.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B694BC1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEE4E1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000000.2257574944.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, KxgGGaiW3E.exe, 00000013.00000000.2339412679.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.0000020599121000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2441256177.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, ilasm.exe, 00000019.00000002.3309899452.0000000007BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: chromecache_145.9.dr String found in binary or memory: http://www.gimp.org/xmp/
Source: chromecache_146.9.dr String found in binary or memory: https://aka.ms/ContentUserFeedback
Source: chromecache_136.9.dr String found in binary or memory: https://aka.ms/banner_mslearn_tier1?wt.mc_id=build24_t1_learnpromotion_events
Source: chromecache_136.9.dr String found in binary or memory: https://aka.ms/certhelp
Source: KxgGGaiW3E.exe, 00000000.00000000.2054022360.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B694BC1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEE4E1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000000.2257574944.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, KxgGGaiW3E.exe, 00000013.00000000.2339412679.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.0000020599121000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2441256177.00007FF703303000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: chromecache_146.9.dr String found in binary or memory: https://aka.ms/feedback/report?space=61
Source: chromecache_136.9.dr String found in binary or memory: https://aka.ms/pshelpmechoose
Source: chromecache_146.9.dr String found in binary or memory: https://aka.ms/yourcaliforniaprivacychoices
Source: KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B695FC1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B6955C1000.00000004.00001000.00020000.00000000.sdmp, ngen.exe, 00000005.00000002.2184893054.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEF8E1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEEEE1000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3307610797.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.0000020599B21000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.000002059A521000.00000004.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001D.00000002.2488394877.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: chromecache_146.9.dr String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725
Source: chromecache_146.9.dr String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf
Source: chromecache_136.9.dr String found in binary or memory: https://channel9.msdn.com/
Source: svchost.exe, 00000008.00000003.2187011411.000001E435673000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000008.00000003.2187011411.000001E435600000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: chromecache_136.9.dr String found in binary or memory: https://github.com/$
Source: chromecache_146.9.dr String found in binary or memory: https://github.com/Thraka
Source: chromecache_146.9.dr String found in binary or memory: https://github.com/Youssef1313
Source: chromecache_146.9.dr String found in binary or memory: https://github.com/adegeo
Source: chromecache_146.9.dr String found in binary or memory: https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/
Source: chromecache_146.9.dr String found in binary or memory: https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md
Source: chromecache_146.9.dr String found in binary or memory: https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md
Source: chromecache_146.9.dr String found in binary or memory: https://github.com/dotnet/docs/issues
Source: chromecache_146.9.dr String found in binary or memory: https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml
Source: chromecache_136.9.dr String found in binary or memory: https://github.com/dotnet/try
Source: chromecache_146.9.dr String found in binary or memory: https://github.com/gewarren
Source: chromecache_146.9.dr String found in binary or memory: https://github.com/mairaw
Source: chromecache_146.9.dr String found in binary or memory: https://github.com/nschonni
Source: ilasm.exe, 00000019.00000002.3309899452.0000000007E07000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ipwho.is
Source: KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B695FC1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B6955C1000.00000004.00001000.00020000.00000000.sdmp, ngen.exe, 00000005.00000002.2184893054.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEF8E1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEEEE1000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3307610797.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.0000020599B21000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.000002059A521000.00000004.00001000.00020000.00000000.sdmp, ilasm.exe, 00000019.00000002.3309899452.0000000007E07000.00000004.00000800.00020000.00000000.sdmp, wmplayer.exe, 0000001D.00000002.2488394877.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://ipwho.is/
Source: chromecache_146.9.dr String found in binary or memory: https://js.monitor.azure.com/scripts/c/ms.jsll-3.min.js
Source: chromecache_136.9.dr String found in binary or memory: https://learn-video.azurefd.net/
Source: chromecache_136.9.dr String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev
Source: chromecache_136.9.dr String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2017-0
Source: chromecache_136.9.dr String found in binary or memory: https://management.azure.com/subscriptions?api-version=2016-06-01
Source: chromecache_136.9.dr String found in binary or memory: https://octokit.github.io/rest.js/#throttling
Source: qmgr.db.8.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
Source: KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B695FC1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B6955C1000.00000004.00001000.00020000.00000000.sdmp, ngen.exe, 00000005.00000002.2184893054.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEF8E1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEEEE1000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3307610797.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.0000020599B21000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.000002059A521000.00000004.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001D.00000002.2488394877.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B695FC1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B6955C1000.00000004.00001000.00020000.00000000.sdmp, ngen.exe, 00000005.00000002.2184893054.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEF8E1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEEEE1000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3307610797.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.0000020599B21000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.000002059A521000.00000004.00001000.00020000.00000000.sdmp, ilasm.exe, 00000019.00000002.3309899452.0000000007C57000.00000004.00000800.00020000.00000000.sdmp, wmplayer.exe, 0000001D.00000002.2488394877.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B695FC1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B6955C1000.00000004.00001000.00020000.00000000.sdmp, ngen.exe, 00000005.00000002.2184893054.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEF8E1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEEEE1000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3307610797.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.0000020599B21000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.000002059A521000.00000004.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001D.00000002.2488394877.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
Source: chromecache_136.9.dr String found in binary or memory: https://twitter.com/intent/tweet?original_referer=$
Source: chromecache_136.9.dr String found in binary or memory: https://www.cafbaseline.com/
Source: chromecache_136.9.dr String found in binary or memory: https://www.linkedin.com/cws/share?url=$
Source: chromecache_136.9.dr String found in binary or memory: https://www.linkedin.com/profile/add?startTask=CERTIFICATION_NAME&name=$
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 15.204.213.5:443 -> 192.168.2.5:49804 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49824 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected Quasar RAT
Source: Yara match File source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.KxgGGaiW3E.exe.20599dba870.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000019.00000002.3309899452.0000000007E66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2488394877.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2184893054.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3307610797.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2488394877.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2184893054.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3307610797.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2117583475.000002B6955C1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2117583475.000002B695FC1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2407170841.0000017BEF8E1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2435090839.0000020599B21000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2435090839.000002059A521000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2407170841.0000017BEEEE1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: KxgGGaiW3E.exe PID: 6612, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ngen.exe PID: 4204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: KxgGGaiW3E.exe PID: 7424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 7516, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: KxgGGaiW3E.exe PID: 2428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ilasm.exe PID: 7372, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wmplayer.exe PID: 4408, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack, type: UNPACKEDPE Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack, type: UNPACKEDPE Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 19.2.KxgGGaiW3E.exe.20599dba870.1.unpack, type: UNPACKEDPE Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 19.2.KxgGGaiW3E.exe.20599dba870.1.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 19.2.KxgGGaiW3E.exe.20599dba870.1.unpack, type: UNPACKEDPE Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack, type: UNPACKEDPE Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack, type: UNPACKEDPE Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack, type: UNPACKEDPE Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack, type: UNPACKEDPE Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 29.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 29.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 29.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack, type: UNPACKEDPE Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack, type: UNPACKEDPE Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack, type: UNPACKEDPE Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack, type: UNPACKEDPE Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 5.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 5.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Quasar infostealer Author: ditekshen
Uses regedit.exe to modify the Windows registry
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Code function: 0_2_00007FF7F30FD240 0_2_00007FF7F30FD240
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Code function: 0_2_00007FF7F30F17E0 0_2_00007FF7F30F17E0
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Code function: 0_2_00007FF7F30F2C20 0_2_00007FF7F30F2C20
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Code function: 0_2_00007FF7F30EEA70 0_2_00007FF7F30EEA70
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Code function: 0_2_00007FF7F30F0B10 0_2_00007FF7F30F0B10
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Code function: 0_2_00007FF7F30DB050 0_2_00007FF7F30DB050
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Code function: 0_2_00007FF7F30EB350 0_2_00007FF7F30EB350
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Code function: 0_2_00007FF7F30F6390 0_2_00007FF7F30F6390
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Code function: 0_2_00007FF7F30E22E0 0_2_00007FF7F30E22E0
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Code function: 0_2_00007FF7F30E1142 0_2_00007FF7F30E1142
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Code function: 0_2_00007FF7F31EC190 0_2_00007FF7F31EC190
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Code function: 0_2_00007FF7F30F5910 0_2_00007FF7F30F5910
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Code function: 0_2_00007FF7F30D4CD0 0_2_00007FF7F30D4CD0
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Code function: 0_2_00007FF7F30DFBD0 0_2_00007FF7F30DFBD0
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Code function: 0_2_00007FF7F30D8AF0 0_2_00007FF7F30D8AF0
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Code function: 0_2_00007FF7F30D5980 0_2_00007FF7F30D5980
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Code function: 0_2_00007FF7F30E1A00 0_2_00007FF7F30E1A00
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Code function: 0_2_00007FF7F30CA020 0_2_00007FF7F30CA020
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Code function: 0_2_00007FF7F30F00D0 0_2_00007FF7F30F00D0
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Code function: 0_2_00007FF7F30F4D80 0_2_00007FF7F30F4D80
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF70304D240 13_2_00007FF70304D240
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF70303A190 13_2_00007FF70303A190
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF7030417E0 13_2_00007FF7030417E0
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF703042C20 13_2_00007FF703042C20
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF70303EA70 13_2_00007FF70303EA70
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF703040B10 13_2_00007FF703040B10
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF70302B050 13_2_00007FF70302B050
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF703051490 13_2_00007FF703051490
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF70303B350 13_2_00007FF70303B350
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF703035350 13_2_00007FF703035350
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF703048340 13_2_00007FF703048340
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF703046390 13_2_00007FF703046390
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF7030383E0 13_2_00007FF7030383E0
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF703036240 13_2_00007FF703036240
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF703037260 13_2_00007FF703037260
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF7030322E0 13_2_00007FF7030322E0
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF703031142 13_2_00007FF703031142
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF70313C190 13_2_00007FF70313C190
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF7030408B0 13_2_00007FF7030408B0
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF70303A8D0 13_2_00007FF70303A8D0
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF703047912 13_2_00007FF703047912
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF703045910 13_2_00007FF703045910
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF703049901 13_2_00007FF703049901
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF703038630 13_2_00007FF703038630
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF7030395D0 13_2_00007FF7030395D0
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF703024CD0 13_2_00007FF703024CD0
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF70302FBD0 13_2_00007FF70302FBD0
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF70304EC00 13_2_00007FF70304EC00
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF703037A20 13_2_00007FF703037A20
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF70304BA50 13_2_00007FF70304BA50
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF703028AF0 13_2_00007FF703028AF0
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF703038920 13_2_00007FF703038920
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF703025980 13_2_00007FF703025980
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF703031A00 13_2_00007FF703031A00
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF70301A020 13_2_00007FF70301A020
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF7030400D0 13_2_00007FF7030400D0
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF703044D80 13_2_00007FF703044D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Code function: 25_2_05C3F03C 25_2_05C3F03C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Code function: 25_2_0DD7A200 25_2_0DD7A200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Code function: 25_2_0DD76D88 25_2_0DD76D88
Found potential string decryption / allocating functions
Source: C:\Users\user\KxgGGaiW3E.exe Code function: String function: 00007FF70301B360 appears 52 times
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Code function: String function: 00007FF7F30CB360 appears 52 times
Sample file is different than original file name gathered from version info
Source: KxgGGaiW3E.exe Binary or memory string: OriginalFilename vs KxgGGaiW3E.exe
Source: KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B695FC1000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameClient.exe. vs KxgGGaiW3E.exe
Source: KxgGGaiW3E.exe, 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameoKaxuwAt. vs KxgGGaiW3E.exe
Source: KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B6955C1000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameClient.exe. vs KxgGGaiW3E.exe
Source: KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B694BC1000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameoKaxuwAt. vs KxgGGaiW3E.exe
Source: KxgGGaiW3E.exe Binary or memory string: OriginalFilename vs KxgGGaiW3E.exe
Source: KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEF8E1000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameClient.exe. vs KxgGGaiW3E.exe
Source: KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEE4E1000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameoKaxuwAt. vs KxgGGaiW3E.exe
Source: KxgGGaiW3E.exe, 0000000D.00000000.2257610633.00007FF703335000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenameoKaxuwAt. vs KxgGGaiW3E.exe
Source: KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEEEE1000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameClient.exe. vs KxgGGaiW3E.exe
Source: KxgGGaiW3E.exe, 00000013.00000002.2435090839.0000020599B21000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameClient.exe. vs KxgGGaiW3E.exe
Source: KxgGGaiW3E.exe, 00000013.00000002.2435090839.0000020599121000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameoKaxuwAt. vs KxgGGaiW3E.exe
Source: KxgGGaiW3E.exe, 00000013.00000002.2441468509.00007FF703335000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenameoKaxuwAt. vs KxgGGaiW3E.exe
Source: KxgGGaiW3E.exe, 00000013.00000002.2435090839.000002059A521000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameClient.exe. vs KxgGGaiW3E.exe
Yara signature match
Source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack, type: UNPACKEDPE Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 19.2.KxgGGaiW3E.exe.20599dba870.1.unpack, type: UNPACKEDPE Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 19.2.KxgGGaiW3E.exe.20599dba870.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 19.2.KxgGGaiW3E.exe.20599dba870.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack, type: UNPACKEDPE Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack, type: UNPACKEDPE Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 29.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 29.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 29.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack, type: UNPACKEDPE Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack, type: UNPACKEDPE Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 5.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 5.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: classification engine Classification label: mal100.troj.evad.winEXE@67/86@17/10
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Code function: 0_2_00007FF7F30D4B00 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma, 0_2_00007FF7F30D4B00
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF703024B00 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma, 13_2_00007FF703024B00
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe File created: C:\Users\user\KxgGGaiW3E.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3752:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3640:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\b0fcdfbd-bdd4-4a5d-8ab1-7217539d4db6
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2836:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_10ut22kp.yp0.ps1 Jump to behavior
Source: KxgGGaiW3E.exe Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe File read: C:\Users\user\Desktop\KxgGGaiW3E.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\KxgGGaiW3E.exe "C:\Users\user\Desktop\KxgGGaiW3E.exe"
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1980,i,18279504130272871239,1243418513114917448,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=608 --field-trial-handle=1972,i,16479660562393968934,10937071673119511898,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Users\user\KxgGGaiW3E.exe "C:\Users\user\KxgGGaiW3E.exe"
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: unknown Process created: C:\Users\user\KxgGGaiW3E.exe "C:\Users\user\KxgGGaiW3E.exe"
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wmplayer.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1876,i,14537101740333488740,3287298464352964342,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wmplayer.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1996,i,6191957489455060914,12654374120200284850,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1980,i,18279504130272871239,1243418513114917448,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=608 --field-trial-handle=1972,i,16479660562393968934,10937071673119511898,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe" Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe" Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe" Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wmplayer.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wmplayer.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1876,i,14537101740333488740,3287298464352964342,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1996,i,6191957489455060914,12654374120200284850,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Section loaded: icu.dll Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: windows.shell.servicehostbuilder.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Section loaded: icu.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\KxgGGaiW3E.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Section loaded: icu.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: textshaping.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: propsys.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: netutils.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: ieframe.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: netapi32.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: userenv.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: wkscli.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: edputil.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: secur32.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: mlang.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: wininet.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: policymanager.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: msvcp110_win.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: ieframe.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: netapi32.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: userenv.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Section loaded: wkscli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A66AEDC-93C3-4ACC-BA96-08F5716429F7}\InProcServer32 Jump to behavior
Source: Google Drive.lnk.7.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.7.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.7.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.7.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.7.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.7.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: KxgGGaiW3E.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: KxgGGaiW3E.exe Static file information: File size 6679218 > 1048576
Source: KxgGGaiW3E.exe Static PE information: Raw size of .managed is bigger than: 0x100000 < 0x14c200
Source: KxgGGaiW3E.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x12fc00
Source: KxgGGaiW3E.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: KxgGGaiW3E.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: KxgGGaiW3E.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: KxgGGaiW3E.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: KxgGGaiW3E.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: KxgGGaiW3E.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: KxgGGaiW3E.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: KxgGGaiW3E.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: KxgGGaiW3E.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: KxgGGaiW3E.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: KxgGGaiW3E.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: KxgGGaiW3E.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: KxgGGaiW3E.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Compiles C# or VB.Net code
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" Jump to behavior
PE file contains sections with non-standard names
Source: KxgGGaiW3E.exe Static PE information: section name: .managed
Source: KxgGGaiW3E.exe Static PE information: section name: _RDATA
Source: KxgGGaiW3E.exe.0.dr Static PE information: section name: .managed
Source: KxgGGaiW3E.exe.0.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Code function: 0_2_00007FF7F30CFEBC push 83480000h; ret 0_2_00007FF7F30CFEC4
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF70301FEBC push 83480000h; ret 13_2_00007FF70301FEC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Code function: 25_2_05C351E8 push esp; ret 25_2_05C35445
Drops PE files
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe File created: C:\Users\user\KxgGGaiW3E.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe File created: C:\Users\user\KxgGGaiW3E.exe Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe File created: C:\Users\user\KxgGGaiW3E.exe Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KxgGGaiW3E Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KxgGGaiW3E Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe:Zone.Identifier read attributes | delete Jump to behavior
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Memory allocated: 2B683260000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Memory allocated: 2B684BC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Memory allocated: 2B6A4BC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory allocated: 17BDCB80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory allocated: 17BDE4E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory allocated: 17BFE4E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory allocated: 20587820000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory allocated: 20589120000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory allocated: 205A9120000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Memory allocated: 5BF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Memory allocated: 7BD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Memory allocated: 5D40000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5974 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3844 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6712
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Window / User API: threadDelayed 820 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7826
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1622
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5892 Thread sleep count: 5974 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5892 Thread sleep count: 3844 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6608 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3948 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7456 Thread sleep count: 6712 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7456 Thread sleep count: 998 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512 Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7484 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4208 Thread sleep count: 7826 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5808 Thread sleep count: 1622 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2928 Thread sleep time: -4611686018427385s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Code function: 0_2_00007FF7F30D4720 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask, 0_2_00007FF7F30D4720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: ngen.exe, 00000005.00000002.2187736884.00000000052E7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wmplayer.exe, 0000001D.00000003.2487624297.0000000002F4B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+
Source: wmplayer.exe, 0000001D.00000003.2487624297.0000000002F4B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: svchost.exe, 00000008.00000002.3309172378.000001E43022B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3311162257.000001E435859000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wmplayer.exe, 0000001D.00000003.2487624297.0000000002F4B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: ilasm.exe, 00000019.00000002.3314816848.000000000AE70000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Code function: 0_2_00007FF7F30C5600 RtlAddVectoredExceptionHandler, 0_2_00007FF7F30C5600
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Code function: 0_2_00007FF7F312B544 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF7F312B544
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF703015600 RtlAddVectoredExceptionHandler, 13_2_00007FF703015600
Source: C:\Users\user\KxgGGaiW3E.exe Code function: 13_2_00007FF70307B544 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 13_2_00007FF70307B544
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory allocated: C:\Windows\System32\svchost.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory allocated: C:\Windows\System32\cmd.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory allocated: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory written: C:\Windows\System32\svchost.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory written: C:\Windows\System32\cmd.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 720000 Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 722000 Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 4E7A008 Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory written: C:\Windows\System32\svchost.exe base: 400000 Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory written: C:\Windows\System32\svchost.exe base: 402000 Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory written: C:\Windows\System32\svchost.exe base: 720000 Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory written: C:\Windows\System32\svchost.exe base: 722000 Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory written: C:\Windows\System32\cmd.exe base: 400000 Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory written: C:\Windows\System32\cmd.exe base: 402000 Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory written: C:\Windows\System32\cmd.exe base: 720000 Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory written: C:\Windows\System32\cmd.exe base: 722000 Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe base: 400000 Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe base: 402000 Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe base: 720000 Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe base: 722000 Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe base: 5334008 Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 400000 Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 402000 Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 720000 Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 722000 Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: DA0008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe" Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe" Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe" Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wmplayer.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wmplayer.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe Code function: 0_2_00007FF7F30CE180 QueryPerformanceFrequency,GetSystemTimeAsFileTime,QueryPerformanceCounter, 0_2_00007FF7F30CE180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Quasar RAT
Source: Yara match File source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.KxgGGaiW3E.exe.20599dba870.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000019.00000002.3309899452.0000000007E66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2488394877.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2184893054.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3307610797.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2488394877.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2184893054.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3307610797.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2117583475.000002B6955C1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2117583475.000002B695FC1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2407170841.0000017BEF8E1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2435090839.0000020599B21000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2435090839.000002059A521000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2407170841.0000017BEEEE1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: KxgGGaiW3E.exe PID: 6612, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ngen.exe PID: 4204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: KxgGGaiW3E.exe PID: 7424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 7516, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: KxgGGaiW3E.exe PID: 2428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ilasm.exe PID: 7372, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wmplayer.exe PID: 4408, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Quasar RAT
Source: Yara match File source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.KxgGGaiW3E.exe.20599dba870.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000019.00000002.3309899452.0000000007E66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2488394877.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2184893054.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3307610797.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2488394877.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2184893054.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3307610797.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2117583475.000002B6955C1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2117583475.000002B695FC1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2407170841.0000017BEF8E1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2435090839.0000020599B21000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2435090839.000002059A521000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2407170841.0000017BEEEE1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: KxgGGaiW3E.exe PID: 6612, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ngen.exe PID: 4204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: KxgGGaiW3E.exe PID: 7424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 7516, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: KxgGGaiW3E.exe PID: 2428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ilasm.exe PID: 7372, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wmplayer.exe PID: 4408, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430591 Sample: KxgGGaiW3E.exe Startdate: 23/04/2024 Architecture: WINDOWS Score: 100 68 ipwho.is 2->68 84 Snort IDS alert for network traffic 2->84 86 Found malware configuration 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 4 other signatures 2->90 9 KxgGGaiW3E.exe 1 2->9         started        12 KxgGGaiW3E.exe 1 3 2->12         started        15 KxgGGaiW3E.exe 1 2->15         started        17 svchost.exe 1 2 2->17         started        signatures3 process4 dnsIp5 96 Uses regedit.exe to modify the Windows registry 9->96 98 Writes to foreign memory regions 9->98 100 Allocates memory in foreign processes 9->100 20 ilasm.exe 15 2 9->20         started        24 powershell.exe 9->24         started        38 6 other processes 9->38 64 C:\Users\user\KxgGGaiW3E.exe, PE32+ 12->64 dropped 102 Drops PE files to the user root directory 12->102 104 Adds a directory exclusion to Windows Defender 12->104 106 Injects a PE file into a foreign processes 12->106 26 ngen.exe 12 12->26         started        28 powershell.exe 23 12->28         started        30 conhost.exe 12->30         started        32 powershell.exe 15->32         started        34 wmplayer.exe 15->34         started        36 conhost.exe 15->36         started        66 127.0.0.1 unknown unknown 17->66 file6 signatures7 process8 dnsIp9 70 185.196.10.233, 4782, 49803 SIMPLECARRIERCH Switzerland 20->70 72 ipwho.is 15.204.213.5, 443, 49804 HP-INTERNET-ASUS United States 20->72 92 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->92 40 conhost.exe 24->40         started        42 chrome.exe 9 26->42         started        45 chrome.exe 26->45         started        94 Loading BitLocker PowerShell Module 28->94 47 conhost.exe 28->47         started        49 conhost.exe 32->49         started        51 chrome.exe 34->51         started        53 chrome.exe 34->53         started        signatures10 process11 dnsIp12 80 192.168.2.5, 443, 4782, 49703 unknown unknown 42->80 82 239.255.255.250 unknown Reserved 42->82 55 chrome.exe 42->55         started        58 chrome.exe 45->58         started        60 chrome.exe 51->60         started        62 chrome.exe 53->62         started        process13 dnsIp14 74 part-0013.t-0009.t-msedge.net 13.107.213.41, 443, 49723, 49724 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 55->74 76 www.google.com 64.233.185.147, 443, 49715, 49828 GOOGLEUS United States 55->76 78 12 other IPs or domains 55->78
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
13.107.213.41
 part-0013.t-0009.t-msedge.net United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
63.140.39.35
 unknown United States
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
185.196.10.233
 unknown Switzerland
42624 SIMPLECARRIERCH true
15.204.213.5
 ipwho.is United States
71 HP-INTERNET-ASUS false
239.255.255.250
 unknown Reserved
unknown unknown false
63.140.39.82
 adobetarget.data.adobedc.net United States
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
34.195.193.219
 dcs-public-edge-va6-158015560.us-east-1.elb.amazonaws.com United States
14618 AMAZON-AESUS false
64.233.185.147
 www.google.com United States
15169 GOOGLEUS false

Private

IP
192.168.2.5
127.0.0.1

Contacted Domains

Name IP Active
dcs-public-edge-va6-158015560.us-east-1.elb.amazonaws.com 34.195.193.219 true
adobetarget.data.adobedc.net 63.140.39.82 true
part-0013.t-0009.t-msedge.net 13.107.213.41 true
ipwho.is 15.204.213.5 true
www.google.com 64.233.185.147 true
js.monitor.azure.com unknown unknown
microsoftmscompoc.tt.omtrdc.net unknown unknown
mdec.nelreports.net unknown unknown
mscom.demdex.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://js.monitor.azure.com/scripts/c/ms.jsll-3.min.js false
    		high
    185.196.10.233 true
    • Avira URL Cloud: safe
    		 unknown
    https://ipwho.is/ false
    • URL Reputation: safe
    		 unknown