Edit tour

Windows Analysis Report
cpainject.txt.ps1

Overview

General Information

Sample name:	cpainject.txt.ps1
Analysis ID:	1619141
MD5:	7a499793d1ed5c1d620d759cb2bb1d78
SHA1:	6476649675acab44f6dbb54c32147e5181345f82
SHA256:	d5e03c97abdb4c8602140fd314885313750e023997c844b09a7c35d7679297d8
Tags:	bitbucketlundkaskaosps1Rhadamanthysuser-skocherhan
Infos:

Detection

PureLog Stealer, RHADAMANTHYS, zgRAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected RHADAMANTHYS Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Checks if the current machine is a virtual machine (disk enumeration)

Deletes itself after installation

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses an obfuscated file name to hide its real file extension (double extension)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Uncommon Svchost Parent Process

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 7500 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cpainject.txt.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7880 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 7888 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

svchost.exe (PID: 8092 cmdline: "C:\Windows\System32\svchost.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

fontdrvhost.exe (PID: 6740 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)

WerFault.exe (PID: 6736 cmdline: C:\Windows\system32\WerFault.exe -u -p 6740 -s 136 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

RegSvcs.exe (PID: 7896 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

fontdrvhost.exe (PID: 8072 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: 8D0DA0C5DCF1A14F9D65F5C0BEA53F3D)

RegSvcs.exe (PID: 7936 cmdline: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" MD5: 3A77A4F220612FA55118FB8D7DDAE83C)

RegSvcs.exe (PID: 7952 cmdline: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" MD5: 3A77A4F220612FA55118FB8D7DDAE83C)

dw20.exe (PID: 8056 cmdline: dw20.exe -x -s 916 MD5: 89106D4D0BA99F770EAFE946EA81BB65)

RegSvcs.exe (PID: 7964 cmdline: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" MD5: 3A77A4F220612FA55118FB8D7DDAE83C)

dw20.exe (PID: 8064 cmdline: dw20.exe -x -s 924 MD5: 89106D4D0BA99F770EAFE946EA81BB65)

MSBuild.exe (PID: 8004 cmdline: "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe" MD5: 84C42D0F2C1AE761BEF884638BC1EACD)

MSBuild.exe (PID: 8040 cmdline: "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe" MD5: 84C42D0F2C1AE761BEF884638BC1EACD)

dw20.exe (PID: 8128 cmdline: dw20.exe -x -s 784 MD5: 89106D4D0BA99F770EAFE946EA81BB65)

MSBuild.exe (PID: 8080 cmdline: "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe" MD5: 84C42D0F2C1AE761BEF884638BC1EACD)

dw20.exe (PID: 7256 cmdline: dw20.exe -x -s 784 MD5: 89106D4D0BA99F770EAFE946EA81BB65)

notepad.exe (PID: 7684 cmdline: "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\cpainject.txt.ps1" MD5: 27F71B12CB585541885A31BE22F61C83)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Rhadamanthys	According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.	Sandworm	https://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/ https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023 https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/	https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Rhadamanthys

{"C2 url": "https://185.208.159.170:2484/38d2415e410113/r8wafme5.m8w1i"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000011.00000002.1699329809.0000000003950000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000007.00000002.1593327576.0000000000523000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000F.00000003.1592772282.0000000002F50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000006.00000002.1602392652.00000000057A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000011.00000003.1590864571.00000000033D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000000.00000002.1888197081.000000000D46C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000011.00000003.1600925399.0000000005E20000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000011.00000003.1600294356.0000000005C00000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000F.00000002.1594159966.0000000003200000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000000.00000002.1888197081.000000000CA6C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: powershell.exe PID: 7500	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 7888	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 7896	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: svchost.exe PID: 8092	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.powershell.exe.d614e38.4.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.powershell.exe.d614e38.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.powershell.exe.d614e38.4.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x13c121:$s1: file:/// 0x13c059:$s2: {11111-22222-10009-11112} 0x13c0b1:$s3: {11111-22222-50001-00000} 0x3c17e:$s4: get_Module 0x3de19:$s5: Reverse 0x3b8c1:$s6: BlockCopy 0x3b8cb:$s7: ReadByte 0x13c135:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.powershell.exe.d614e38.4.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.powershell.exe.d614e38.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.powershell.exe.d614e38.4.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x13df21:$s1: file:/// 0x13de59:$s2: {11111-22222-10009-11112} 0x13deb1:$s3: {11111-22222-50001-00000} 0x3df7e:$s4: get_Module 0x3fc19:$s5: Reverse 0x3d6c1:$s6: BlockCopy 0x3d6cb:$s7: ReadByte 0x13df35:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
17.3.svchost.exe.5c00000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
17.3.svchost.exe.5e20000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cpainject.txt.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cpainject.txt.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4540, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cpainject.txt.ps1", ProcessId: 7500, ProcessName: powershell.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 7888, ParentProcessName: RegSvcs.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 8092, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cpainject.txt.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cpainject.txt.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4540, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cpainject.txt.ps1", ProcessId: 7500, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 7888, ParentProcessName: RegSvcs.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 8092, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T16:10:39.589240+0100	2854802	1	Domain Observed Used for C2 Detected	185.208.159.170	2484	192.168.2.8	49710	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: RegSvcs.exe.7888.6.memstrmin

Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://185.208.159.170:2484/38d2415e410113/r8wafme5.m8w1i"}

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source:	Binary string: wkernel32.pdb source: svchost.exe, 00000011.00000003.1598779856.00000000058B0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1599162288.0000000005C80000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: svchost.exe, 00000011.00000003.1600294356.0000000005C00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1600925399.0000000005E20000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: svchost.exe, 00000011.00000003.1595688254.0000000005DF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1594007040.0000000005C00000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: svchost.exe, 00000011.00000003.1597334519.0000000005DA0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1596560913.0000000005C00000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: svchost.exe, 00000011.00000003.1595688254.0000000005DF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1594007040.0000000005C00000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: svchost.exe, 00000011.00000003.1597334519.0000000005DA0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1596560913.0000000005C00000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: svchost.exe, 00000011.00000003.1598779856.00000000058B0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1599162288.0000000005C80000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: svchost.exe, 00000011.00000003.1600294356.0000000005C00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1600925399.0000000005E20000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_056878D9 GetLogicalDriveStringsW,QueryDosDeviceW,

7_2_056878D9

Source: C:\Windows\System32\fontdrvhost.exe

Code function: 4x nop then dec esp

22_2_000002A8685B0511

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 185.208.159.170:2484 -> 192.168.2.8:49710

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 185.208.159.170 2484

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://185.208.159.170:2484/38d2415e410113/r8wafme5.m8w1i

Source: global traffic

TCP traffic: 192.168.2.8:49710 -> 185.208.159.170:2484

Source: Joe Sandbox View

ASN Name: SIMPLECARRER2IT SIMPLECARRER2IT

Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45

Source: powershell.exe, 00000000.00000002.1888197081.000000000D46C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: powershell.exe, 00000000.00000002.1888197081.000000000D46C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1831768387.0000000006E25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1857957657.00000000073E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1866525768.000000000B141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: powershell.exe, 00000000.00000002.1888197081.000000000D46C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: powershell.exe, 00000000.00000002.1888197081.000000000D46C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1831768387.0000000006E25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1857957657.00000000073E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1866525768.000000000B141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000000.00000002.1859513648.00000000079EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro%
Source: powershell.exe, 00000000.00000002.1831768387.0000000006E25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1857957657.00000000073E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1866525768.000000000B141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: powershell.exe, 00000000.00000002.1831768387.0000000006E25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1857957657.00000000073E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1866525768.000000000B141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: powershell.exe, 00000000.00000002.1888197081.000000000D46C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: powershell.exe, 00000000.00000002.1888197081.000000000D46C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1831768387.0000000006E25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1857957657.00000000073E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1866525768.000000000B141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: powershell.exe, 00000000.00000002.1888197081.000000000D46C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: powershell.exe, 00000000.00000002.1888197081.000000000D46C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1831768387.0000000006E25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1857957657.00000000073E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1866525768.000000000B141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: powershell.exe, 00000000.00000002.1888197081.000000000D46C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1831768387.0000000006E25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1857957657.00000000073E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1866525768.000000000B141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: powershell.exe, 00000000.00000002.1831768387.0000000006E25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1857957657.00000000073E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1866525768.000000000B141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: powershell.exe, 00000000.00000002.1831768387.0000000006E25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1857957657.00000000073E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1866525768.000000000B141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: powershell.exe, 00000000.00000002.1831768387.0000000006C9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1888197081.000000000D46C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1831768387.0000000006E25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1857957657.00000000073E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1866525768.000000000B141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000000.00000002.1888197081.000000000D46C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1831768387.0000000006E25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1857957657.00000000073E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1866525768.000000000B141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: powershell.exe, 00000000.00000002.1888197081.000000000D46C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: powershell.exe, 00000000.00000002.1888197081.000000000D46C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000000.00000002.1831768387.0000000006E25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1857957657.00000000073E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1866525768.000000000B141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000000.00000002.1821167786.00000000053E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1821167786.00000000053E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.1821167786.0000000005291000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1821167786.00000000053E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Amcache.hve.18.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000000.00000002.1821167786.00000000053E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1888197081.000000000D46C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.avast.com0/
Source: powershell.exe, 00000000.00000002.1888197081.000000000D46C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1831768387.0000000006E25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1857957657.00000000073E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1866525768.000000000B141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: fontdrvhost.exe, fontdrvhost.exe, 00000016.00000002.1794357129.000002A8685B0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://185.208.159.170:2484/38d2415e410113/r8wafme5.m8w1i
Source: svchost.exe, 00000011.00000003.1698444186.000000000370C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000016.00000002.1794357129.000002A8685B0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://185.208.159.170:2484/38d2415e410113/r8wafme5.m8w1ikernelbasentdllkernel32GetProcessMitigatio
Source: fontdrvhost.exe, 0000000F.00000002.1593415139.0000000002E7D000.00000004.00000010.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1698563336.00000000032AC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://185.208.159.170:2484/38d2415e410113/r8wafme5.m8w1ix
Source: powershell.exe, 00000000.00000002.1821167786.0000000005291000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: svchost.exe, 00000011.00000003.1660288380.000000000374F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-query
Source: svchost.exe, 00000011.00000003.1660288380.000000000374F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi
Source: powershell.exe, 00000000.00000002.1831768387.0000000006C9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1831768387.0000000006C9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1831768387.0000000006C9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1821167786.00000000053E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1885943042.000000000B830000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ion=v4.5ge
Source: powershell.exe, 00000000.00000002.1831768387.0000000006C9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1831768387.0000000006E25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1857957657.00000000073E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1866525768.000000000B141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: svchost.exe, 00000011.00000003.1600294356.0000000005C00000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_2d5321cd-2

Source: svchost.exe, 00000011.00000003.1600294356.0000000005C00000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_54acc61d-d

Source: Yara match	File source: 17.3.svchost.exe.5c00000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.svchost.exe.5e20000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000003.1600925399.0000000005E20000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1600294356.0000000005C00000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8092, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.powershell.exe.d614e38.4.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.powershell.exe.d614e38.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_056877F1 NtQuerySystemInformation,malloc,NtQuerySystemInformation,K32GetProcessImageFileNameW,	7_2_056877F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0568519A NtQueryInformationProcess,	7_2_0568519A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_056854D6 NtQuerySystemInformation,malloc,NtQuerySystemInformation,RtlGetVersion,CloseHandle,	7_2_056854D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0568B28B NtQueryInformationProcess,	7_2_0568B28B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05688A20 NtQueryInformationProcess,	7_2_05688A20
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 22_2_000002A8685B15C0 NtAcceptConnectPort,	22_2_000002A8685B15C0
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 22_2_000002A8685B1CF4 NtAcceptConnectPort,CloseHandle,	22_2_000002A8685B1CF4
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 22_2_000002A8685B1AA4 NtAcceptConnectPort,NtAcceptConnectPort,	22_2_000002A8685B1AA4
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 22_2_000002A8685B0AC8 NtAcceptConnectPort,NtAcceptConnectPort,	22_2_000002A8685B0AC8

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_0521BB28	0_2_0521BB28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_0521D87A	0_2_0521D87A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05352371	6_2_05352371
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05350870	6_2_05350870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05350860	6_2_05350860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05E930D0	6_2_05E930D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_013A2371	7_2_013A2371
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_013A0870	7_2_013A0870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_013A0860	7_2_013A0860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0568AD4F	7_2_0568AD4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05688FA8	7_2_05688FA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0568440E	7_2_0568440E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05683000	7_2_05683000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05DD30D0	7_2_05DD30D0
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 22_2_000002A8685B0C70	22_2_000002A8685B0C70

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 916

Source: 0.2.powershell.exe.d614e38.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.powershell.exe.d614e38.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: 0.2.powershell.exe.d614e38.4.raw.unpack, Redist.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.powershell.exe.d614e38.4.raw.unpack, Redist.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.powershell.exe.d614e38.4.raw.unpack, Redist.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.powershell.exe.d614e38.4.raw.unpack, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winPS1@36/26@0/1

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4b6573fd-7b5d-835de-50533fc575cb}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6740

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_to02qffn.3vt.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cpainject.txt.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\cpainject.txt.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 916
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 924
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 784
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 784
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\System32\fontdrvhost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6740 -s 136
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 916	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 924	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 784	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 784
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: efswrt.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: drprov.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntlanman.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: davclnt.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: davhlpr.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll

Source: C:\Windows\System32\notepad.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: cpainject.txt.ps1

Static file information: File size 5246914 > 1048576

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source:	Binary string: wkernel32.pdb source: svchost.exe, 00000011.00000003.1598779856.00000000058B0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1599162288.0000000005C80000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: svchost.exe, 00000011.00000003.1600294356.0000000005C00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1600925399.0000000005E20000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: svchost.exe, 00000011.00000003.1595688254.0000000005DF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1594007040.0000000005C00000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: svchost.exe, 00000011.00000003.1597334519.0000000005DA0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1596560913.0000000005C00000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: svchost.exe, 00000011.00000003.1595688254.0000000005DF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1594007040.0000000005C00000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: svchost.exe, 00000011.00000003.1597334519.0000000005DA0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1596560913.0000000005C00000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: svchost.exe, 00000011.00000003.1598779856.00000000058B0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1599162288.0000000005C80000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: svchost.exe, 00000011.00000003.1600294356.0000000005C00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1600925399.0000000005E20000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.powershell.exe.d614e38.4.raw.unpack, gBMthepoZSL1ZVKpeA.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.powershell.exe.d614e38.4.raw.unpack, Redist.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 0.2.powershell.exe.d614e38.4.raw.unpack, Redist.cs	.Net Code: CoreMain
Source: 0.2.powershell.exe.d614e38.4.raw.unpack, eRtoUikQAUlfmrcXhP.cs	.Net Code: h2NYbtd44f
Source: 0.2.powershell.exe.d614e38.4.raw.unpack, eRtoUikQAUlfmrcXhP.cs	.Net Code: S3B6WIXeQr

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_0521E027 pushfd ; ret	0_2_0521E028
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_0521E336 pushfd ; ret	0_2_0521E337
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_0521E982 pushfd ; ret	0_2_0521E983
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_05213EB0 push ecx; retf	0_2_05213E76
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_07C35218 push ebx; ret	0_2_07C353CE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_07C3261D push 1C000008h; ret	0_2_07C32625
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_07C351F9 push ecx; ret	0_2_07C35206
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_07C350EB push eax; ret	0_2_07C350F6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_07C30D68 push cs; ret	0_2_07C30EEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05795D5E push esi; ret	6_2_05795D69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_057931DC push eax; ret	6_2_057931DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05793C39 push ecx; ret	6_2_05793C59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_057920F9 push FFFFFF82h; iretd	6_2_057920FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_057954F9 push edx; retf	6_2_057954FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_057938EC push edi; ret	6_2_057938F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05791F6A push eax; ret	6_2_05791F75
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05794FD4 push ss; retf	6_2_05794FF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05794F89 push edi; iretd	6_2_05794F96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0579625D push es; ret	6_2_05796264
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_013A92DA push edi; iretd	7_2_013A92DD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 9_2_00E729A0 push esp; iretd	9_2_00E729A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 10_2_010F29A0 push esp; iretd	10_2_010F29A1
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Code function: 12_2_013229A0 push esp; iretd	12_2_013229A1
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 15_3_02EA52DD push es; ret	15_3_02EA52E4
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 15_3_02EA2CB9 push ecx; ret	15_3_02EA2CD9
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 15_3_02EA225C push eax; ret	15_3_02EA225D
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 15_3_02EA4054 push ss; retf	15_3_02EA4075
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 15_3_02EA4009 push edi; iretd	15_3_02EA4016
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 15_3_02EA0FEA push eax; ret	15_3_02EA0FF5
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 15_3_02EA4DDE push esi; ret	15_3_02EA4DE9
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 15_3_02EA296C push edi; ret	15_3_02EA2978

Source: 0.2.powershell.exe.d614e38.4.raw.unpack, Redist.cs	High entropy of concatenated method names: 'DecodePkt', 'GZipDecompress', 'CoreMain', 'Main', 'ParseArguments', 'PrintHelp', 'UTD4DNjHMiTLHCyhCP', 'TMVO2BCaWsWXJLwBLY', 'Pj79kqWRdHwYJZeEDv', 'MLr5EeGqlSyrPPi5qZ'
Source: 0.2.powershell.exe.d614e38.4.raw.unpack, eRtoUikQAUlfmrcXhP.cs	High entropy of concatenated method names: 'WKIpT6WRYP', 'GxIp0d0vl2', 'R3Ppdmg34A', 'iAsp1JjQqZ', 'yQwppAuByG', 'BT0pvkDekn', 'ENbpFei3CE', 'YlPUn7XuQH', 'Qsnpc1Onv9', 'jAdpZCXbre'
Source: 0.2.powershell.exe.d614e38.4.raw.unpack, gBMthepoZSL1ZVKpeA.cs	High entropy of concatenated method names: 'OCbF1M56x8DkYrSUUwi', 'X1igpd5Qfeqlc6isRSl', 'reTlcDMFua', 'xESyZE58d2hFOSyfeI0', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'MWNWIh5LSTInuEi3YU8'

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File deleted: c:\users\user\desktop\cpainject.txt.ps1

Jump to behavior

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: txt.ps1

Static PE information: cpainject.txt.ps1

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7896, type: MEMORYSTR

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Windows\SysWOW64\svchost.exe

Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity

Query firmware table information (likely to detect VMs)

Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFBCB7AD044
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 5DCB83A

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Windows\SysWOW64\svchost.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: svchost.exe, 00000011.00000002.1699140740.0000000003700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXEAUTORUNSC.EXERESOURCEHACKER.EXEFILEMON.EXEREGMON.EXEWINDANR.EXE
Source: svchost.exe, 00000011.00000002.1699140740.0000000003700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: svchost.exe, 00000011.00000002.1699140740.0000000003700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: svchost.exe, 00000011.00000002.1699140740.0000000003700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EVERYWHERE.EXEFIDDLER.EXEIDA.EXEIDA64.EXEIMMU
Source: svchost.exe, 00000011.00000002.1699140740.0000000003700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: svchost.exe, 00000011.00000002.1699140740.0000000003700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE
Source: svchost.exe, 00000011.00000002.1699140740.0000000003700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: svchost.exe, 00000011.00000002.1699140740.0000000003700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE
Source: svchost.exe, 00000011.00000002.1699140740.0000000003700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MP.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEPROCESSHA
Source: svchost.exe, 00000011.00000002.1699140740.0000000003700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: svchost.exe, 00000011.00000002.1699140740.0000000003700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDANR.EXE
Source: svchost.exe, 00000011.00000002.1699140740.0000000003700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TORUNS.EXEDUMPCAP.EXEDE4*
Source: svchost.exe, 00000011.00000002.1699140740.0000000003700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE

Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 1580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 32F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 52F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 1610000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 3320000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 5320000 memory commit \| memory reserve \| memory write watch

Source: C:\Windows\SysWOW64\svchost.exe	File opened / queried: VBoxGuest
Source: C:\Windows\SysWOW64\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
Source: C:\Windows\SysWOW64\svchost.exe	File opened / queried: C:\Windows\SysWOW64\vboxservice.exe
Source: C:\Windows\SysWOW64\svchost.exe	File opened / queried: C:\Windows\SysWOW64\vboxtray.exe
Source: C:\Windows\SysWOW64\svchost.exe	File opened / queried: C:\Windows\SysWOW64\drivers\VBoxMouse.sys
Source: C:\Windows\SysWOW64\svchost.exe	File opened / queried: VBoxTrayIPC
Source: C:\Windows\SysWOW64\svchost.exe	File opened / queried: C:\Windows\SysWOW64\drivers\VBoxSF.sys
Source: C:\Windows\SysWOW64\svchost.exe	File opened / queried: C:\Windows\SysWOW64\vboxhook.dll
Source: C:\Windows\SysWOW64\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosDate
Source: C:\Windows\SysWOW64\svchost.exe	File opened / queried: \pipe\VBoxTrayIPC
Source: C:\Windows\SysWOW64\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Windows\SysWOW64\svchost.exe	File opened / queried: C:\Windows\SysWOW64\drivers\VBoxVideo.sys
Source: C:\Windows\SysWOW64\svchost.exe	File opened / queried: VBoxMiniRdrDN
Source: C:\Windows\SysWOW64\svchost.exe	File opened / queried: C:\Windows\SysWOW64\drivers\VBoxGuest.sys
Source: C:\Windows\SysWOW64\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6304			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3386			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_7-7827

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7752

Thread sleep time: -6456360425798339s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard

Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_056878D9 GetLogicalDriveStringsW,QueryDosDeviceW,

7_2_056878D9

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Amcache.hve.18.dr	Binary or memory string: VMware
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.18.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.18.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.18.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.18.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.18.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.18.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: svchost.exe, 00000011.00000002.1698908649.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1699051586.0000000003680000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.18.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: svchost.exe, 00000011.00000002.1698947577.0000000003612000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: Amcache.hve.18.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.18.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: svchost.exe, 00000011.00000002.1699051586.0000000003680000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rosoft-Windows-PersistentMemory-PmemDiskMicrosoft-Windows-Power-Meter-PollingMicrosoft-Windows-Power-TroubleshooterMicrosoft-Windows-ReFSMicrosoft-Windows-ReFS-v1Microsoft-Windows-ResetEngMicrosoft-Windows-Resource-Exhaustion-DetectorMicrosoft-Windows-ResourcePublicationMicrosoft-Windows-SCPNPMicrosoft-Windows-Serial-ClassExtensionMicrosoft-Windows-Serial-ClassExtension-V2Microsoft-Windows-ServicingMicrosoft-Windows-SetupMicrosoft-Windows-SetupPlatformMicrosoft-Windows-SPB-ClassExtensionMicrosoft-Windows-SPB-HIDI2CMicrosoft-Windows-Spell-CheckingMicrosoft-Windows-SpellCheckerMicrosoft-Windows-StartupRepairMicrosoft-Windows-Subsys-SMSSMicrosoft-Windows-TaskSchedulerMicrosoft-Windows-TerminalServices-LocalSessionManagerMicrosoft-Windows-TerminalServices-RemoteConnectionManagerMicrosoft-Windows-Time-ServiceMicrosoft-Windows-TPM-WMIMicrosoft-Windows-USB-CCIDMicrosoft-Windows-USB-MAUSBHOSTMicrosoft-Windows-USB-USBHUB3Microsoft-Windows-USB-USBXHCIMicrosoft-Windows-UserModePowerServiceMicrosoft-Windows-UserPnpMicrosoft-Windows-WHEA-LoggerMicrosoft-Windows-Windows Firewall With Advanced SecurityMicrosoft-Windows-WindowsToGo-StartupOptionsMicrosoft-Windows-WindowsUpdateClientMicrosoft-Windows-WininitMicrosoft-Windows-WinlogonMicrosoft-Windows-WLAN-AutoConfigMicrosoft-Windows-WMPNSS-Servicemlx4_busmouclassmouhidmrxsmbMsBridgeMSDTC GatewayMSDTC WS-AT ProtocolmshidumdfMSiSCSIMTConfigMupmvumisNdisImPlatformNdisImPlatformSysEvtProviderNdisWanndiswanlegacyNetBIOSNetBTNetJoinNetlogonNtfsnvdimmnvstorP2PIMSvcParportpartmgrpcmciapercsas2ipercsas3ipmemPNPMEMPNRPSvcPowerPptpMiniportPrintPrintFilterPipelineSvcProcessorRasAutoRasCfgRasmanRasSstprdbssRemoteAccessRetailDemoRFCOMMrhproxyrspndrSAMsbp2portSCardSvrSchannelscmbussercxsercx2SerialsermouseServerService Control ManagerSiSRaid2SiSRaid4SmartSAMDSMSvcHost 3.0.0.0SMSvcHost 4.0.0.0SNMPTRAPspaceportspbcxSrvstexstorStillImagestorahcistornvmeTcpipTcpip6TCPMonTermServiceTPMtsusbflttsusbhubtunnelUASPStorUmRdpServiceusbaudio2usbehciusbserUser32VDS Basic ProviderVDS Dynamic ProviderVDS Virtual Disk ProviderVirtual Disk ServicevmcivolmgrVolsnapvpcivsmraidVSTXRAIDW32TimeWacomPenWalletServicewdf01000wecsvcWin32kWinDefendWindows Disk DiagnosticWindows Script HostWinHttpAutoProxySvcWinNatWinRMWMIxWDMWMPNetworkSvcWorkstationWPDClassInstallerC:\Windows\System32\Winevt\Logs\System.evtx20231003095556.787652+120user-PCC:\Windows\System32\Winevt\Logs\System.evtxc:c:\windows\system32\winevt\logs\system~1.evtevtxSystemevtx FileNTFS20231003095556.787652+12020250219161010.521838+06020250219161010.521838+060\windows\system32\winevt\logs\OK
Source: Amcache.hve.18.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: svchost.exe, 00000011.00000002.1698997151.000000000366B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JMicrosoft-Windows-GPIO-ClassExtensionHMicrosoft-Windows-Hyper-V-HypervisorC:\Windows\system32\wbem\fastprox.dlllHMicrosoft-Windows-Devices-BackgroundC:\Windows\system32\wbem\wbemsvc.dlll
Source: Amcache.hve.18.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.18.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.18.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: svchost.exe, 00000011.00000002.1699051586.0000000003690000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft-Windows-Hyper-V-Hypervisor
Source: Amcache.hve.18.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: svchost.exe, 00000011.00000003.1600925399.0000000005E20000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: Amcache.hve.18.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.18.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.18.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.18.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.18.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.18.dr	Binary or memory string: VMware VMCI Bus Device
Source: svchost.exe, 00000011.00000002.1699110814.000000000369E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %systemroot%\system32\wbem\wbemprox.dllBMicrosoft-Windows-WLAN-AutoConfigDMicrosoft-Windows-IsolatedUserMode>Microsoft-Windows-BitLocker-APIHMicrosoft-Antimalware-ShieldProvider@Microsoft-Windows-DiskDiagnosticHMicrosoft-Windows-Devices-Background>Microsoft-Windows-DHCPv6-ClientDMicrosoft-Windows-BitLocker-Driver@Microsoft-Windows-DistributedCOM@Microsoft-Windows-EventCollectorFApplication Management Group PolicyJMicrosoft-Windows-Fault-Tolerant-Heap>Microsoft-Windows-FilterManager@Microsoft-Windows-WMPNSS-ServiceJMicrosoft-Windows-GPIO-ClassExtensionHMicrosoft-Windows-Hyper-V-Hypervisor>Microsoft-Windows-StartupRepair@Microsoft-Windows-Kernel-General<Microsoft-Windows-Time-Service>Microsoft-Windows-OverlayFilter>Microsoft-Windows-USB-MAUSBHOSTHMicrosoft-Windows-SPB-ClassExtension>Microsoft-Windows-TaskScheduler<Microsoft-Windows-Kernel-Power>Microsoft-Windows-SetupPlatform@Microsoft-Windows-Spell-Checking>Microsoft-Windows-NetworkBridge<Microsoft-Windows-OfflineFiles<Microsoft-Windows-SpellCheckerFMicrosoft-Windows-LanguagePackSetupJMicrosoft-Windows-Power-Meter-PollingJMicrosoft-Windows-ResourcePublicationJMicrosoft-Windows-WindowsUpdateClientBMicrosoft-Windows-WLAN-AutoConfig
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual RAM
Source: svchost.exe, 00000011.00000003.1600925399.0000000005E20000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: Amcache.hve.18.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.18.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05791277 mov eax, dword ptr fs:[00000030h]	6_2_05791277
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_056887FF mov eax, dword ptr fs:[00000030h]	7_2_056887FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05688BD0 mov eax, dword ptr fs:[00000030h]	7_2_05688BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0568B22E mov eax, dword ptr fs:[00000030h]	7_2_0568B22E
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 15_3_02EA0283 mov eax, dword ptr fs:[00000030h]	15_3_02EA0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_3_032E0283 mov eax, dword ptr fs:[00000030h]	17_3_032E0283

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 185.208.159.170 2484

.NET source code references suspicious native API functions

Source: 0.2.powershell.exe.73e0000.1.raw.unpack, B.cs	Reference to suspicious API methods: LoadLibraryA(ref P_0)
Source: 0.2.powershell.exe.73e0000.1.raw.unpack, B.cs	Reference to suspicious API methods: ((delegate<IntPtr, Type, Delegate>)obj1.obj0[num - 22])(GetProcAddress(intPtr, ref P_1), ((delegate<RuntimeTypeHandle, Type>)obj1.obj0[num - 23])(typeof(CreateApi).TypeHandle))
Source: 0.2.powershell.exe.73e0000.1.raw.unpack, B.cs	Reference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num16 + 8, (byte[])obj14, 4, ref num9)
Source: 0.2.powershell.exe.73e0000.1.raw.unpack, B.cs	Reference to suspicious API methods: NtAllocateVirtualMemory(processHandle2, ref intPtr3, IntPtr.Zero, ref uIntPtr, num31, num32)
Source: 6.2.RegSvcs.exe.316f6dc.2.raw.unpack, Flutter.cs	Reference to suspicious API methods: VirtualAlloc(IntPtr.Zero, new IntPtr(65536), MEM_COMMIT, 4u)
Source: 6.2.RegSvcs.exe.316f6dc.2.raw.unpack, Flutter.cs	Reference to suspicious API methods: VirtualProtect(intPtr, 65536u, 64u, out var _)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 916	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 924	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 784	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 784
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Queries volume information: C:\Users\user\Desktop\cpainject.txt.ps1 VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_056854D6 NtQuerySystemInformation,malloc,NtQuerySystemInformation,RtlGetVersion,CloseHandle,

7_2_056854D6

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: svchost.exe, 00000011.00000002.1699140740.0000000003700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OllyDbg.exe
Source: Amcache.hve.18.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: MsMpEng.exe
Source: svchost.exe, 00000011.00000002.1699140740.0000000003700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regmon.exe

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.powershell.exe.d614e38.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.powershell.exe.d614e38.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1593327576.0000000000523000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1888197081.000000000D46C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1888197081.000000000CA6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000011.00000002.1699329809.0000000003950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1592772282.0000000002F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1602392652.00000000057A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1590864571.00000000033D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1594159966.0000000003200000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: 0.2.powershell.exe.d614e38.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.powershell.exe.d614e38.4.raw.unpack, type: UNPACKEDPE

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.powershell.exe.d614e38.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.powershell.exe.d614e38.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1593327576.0000000000523000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1888197081.000000000D46C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1888197081.000000000CA6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000011.00000002.1699329809.0000000003950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1592772282.0000000002F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1602392652.00000000057A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1590864571.00000000033D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1594159966.0000000003200000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: 0.2.powershell.exe.d614e38.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.powershell.exe.d614e38.4.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	31 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	11 Masquerading	21 Input Capture	651 Security Software Discovery	Remote Services	21 Input Capture	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	271 Virtualization/Sandbox Evasion	Security Account Manager	271 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Obfuscated Files or Information	Cached Domain Credentials	234 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 File Deletion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report cpainject.txt.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Rhadamanthys

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
cpainject.txt.ps1