Edit tour

Windows Analysis Report
1.ps1

Overview

General Information

Sample name:	1.ps1
Analysis ID:	1636808
MD5:	924dbcbb0eda55d7f6f0978bb22dbdda
SHA1:	42e8afbdf57113d79a878ec70f70dfca486e7afb
SHA256:	57b2cb1adb81aaab06200bd39717974236016959792ff7cc8d1f4536efa69b9d
Infos:

Detection

RHADAMANTHYS

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Early bird code injection technique detected

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected RHADAMANTHYS Stealer

.NET source code contains potential unpacker

Allocates memory in foreign processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected MSILLoadEncryptedAssembly

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to delete services

Contains functionality to detect virtual machines (SLDT)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries disk information (often used to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dllhost Internet Connection

Sigma detected: Uncommon Svchost Parent Process

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

powershell.exe (PID: 7800 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7436 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

svchost.exe (PID: 2132 cmdline: "C:\Windows\System32\svchost.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

svchost.exe (PID: 5148 cmdline: "C:\Windows\System32\svchost.exe" MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

chrome.exe (PID: 612 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 2084 cmdline: --user-data-dir="C:\Users\user\AppData\Local\Temp\chr2E95.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/d4a75c5f/4a1b3c1a" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 7088 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2188,i,10742310718371479009,15157293769129927295,262144 --variations-seed-version --mojo-platform-channel-handle=2500 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

wmpshare.exe (PID: 4348 cmdline: "C:\Program Files\Windows Media Player\wmpshare.exe" MD5: A89F75B51EAADA8C97F8D674B3EDB2F2)

dllhost.exe (PID: 1596 cmdline: "C:\Windows\system32\dllhost.exe" MD5: 08EB78E5BE019DF044C26B14703BD1FA)

WerFault.exe (PID: 5324 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7436 -s 496 MD5: C31336C1EFC2CCB44B4326EA793040F2)

notepad.exe (PID: 7952 cmdline: "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\1.ps1" MD5: 27F71B12CB585541885A31BE22F61C83)

svchost.exe (PID: 8088 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

elevation_service.exe (PID: 3692 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: BF076931DBBF2CA64F5835A94A11DD46)

AvastBrowserUpdate.exe (PID: 3484 cmdline: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe MD5: BAD9E53D3D2FCC281D2123F729E278BF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Rhadamanthys	According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.	Sandworm	https://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/ https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023 https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/	https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000B.00000003.1784088434.0000000003840000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000000B.00000003.1790007214.0000000005A10000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000B.00000003.1789842064.00000000057F0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000A.00000002.1793738107.00000000041E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000000.00000002.1771943733.0000000005A09000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000B.00000002.1855883981.00000000038E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
Process Memory Space: powershell.exe PID: 7800	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: powershell.exe PID: 7800	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security
Process Memory Space: svchost.exe PID: 2132	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: svchost.exe PID: 5148	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.powershell.exe.61ab0d0.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.powershell.exe.616b8e4.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.powershell.exe.6118a90.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.powershell.exe.61ab0d0.0.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
11.3.svchost.exe.57f0000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
11.3.svchost.exe.57f0000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
11.3.svchost.exe.57f0000.6.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
11.3.svchost.exe.5a10000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
11.3.svchost.exe.5a10000.7.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 4 entries

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3556, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1.ps1", ProcessId: 7800, ProcessName: powershell.exe

Sigma detected: Dllhost Internet Connection

Source: Network Connection

Author: bartblaze: Data: DestinationIp: 91.240.118.2, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\dllhost.exe, Initiated: true, ProcessId: 1596, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49738

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7436, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 2132, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3556, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1.ps1", ProcessId: 7800, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 8088, ProcessName: svchost.exe

Suricata Signatures

ETPRO JA3 HASH Suspected Malware Related Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T06:25:12.966490+0100	2854824	2	Potentially Bad Traffic	185.147.124.2	5353	192.168.2.4	49736	TCP
2025-03-13T06:25:25.123075+0100	2854824	2	Potentially Bad Traffic	185.147.124.2	5353	192.168.2.4	49737	TCP

ETPRO MALWARE Possible Malicious Second Stage Download with Terse Headers

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T06:24:39.103149+0100	2833022	1	A Network Trojan was detected	172.67.166.76	443	192.168.2.4	49727	TCP

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T06:24:44.523585+0100	2854802	1	Domain Observed Used for C2 Detected	185.147.124.2	5353	192.168.2.4	49728	TCP
2025-03-13T06:25:12.966490+0100	2854802	1	Domain Observed Used for C2 Detected	185.147.124.2	5353	192.168.2.4	49736	TCP
2025-03-13T06:25:25.123075+0100	2854802	1	Domain Observed Used for C2 Detected	185.147.124.2	5353	192.168.2.4	49737	TCP
2025-03-13T06:25:41.445360+0100	2854802	1	Domain Observed Used for C2 Detected	91.240.118.2	443	192.168.2.4	49738	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://usa.trendys.cloud/code.bin

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: 1.ps1

ReversingLabs: Detection: 29%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: C:\Windows\System32\svchost.exe	Code function: 15_2_00007DF4E0E96B88 CryptUnprotectData,	15_2_00007DF4E0E96B88
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Code function: 22_3_00007DF480F23838 calloc,CryptProtectData,LocalFree,CreateFileW,WriteFile,CloseHandle,	22_3_00007DF480F23838
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: 24_2_6D478EEC zip_fopen_index,zip_fopen_index_encrypted,	24_2_6D478EEC
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: 24_2_6D416960 CryptHashCertificate,	24_2_6D416960
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: 24_2_6D416B60 CryptQueryObject,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertCloseStore,	24_2_6D416B60
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: 24_2_6D3AA591 CryptReleaseContext,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	24_2_6D3AA591
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: 24_2_6D3A47F8 CryptProtectData,LocalFree,	24_2_6D3A47F8
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: 24_2_6D474312 CryptAcquireContextW,GetLastError,CryptReleaseContext,	24_2_6D474312
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: 24_2_6D41592F CryptVerifySignatureW,CryptDestroyHash,CryptDestroyKey,	24_2_6D41592F
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: 24_2_6D4158C9 CryptHashData,	24_2_6D4158C9
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: 24_2_6D3F5554 CryptUnprotectData,GetLastError,LocalFree,	24_2_6D3F5554
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: 24_2_6D47D76E zip_fopen_index_encrypted,zip_source_open,zip_source_free,	24_2_6D47D76E
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: 24_2_6D41570A CryptDecodeObjectEx,CryptImportPublicKeyInfo,CryptCreateHash,	24_2_6D41570A
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: 24_2_7FAEE67C CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	24_2_7FAEE67C
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: 24_2_7FAE4FA6 memset,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	24_2_7FAE4FA6

Source: svchost.exe, 0000000F.00000003.1901555540.00000218AA010000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_773970b1-9

Source: unknown	HTTPS traffic detected: 172.67.166.76:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.240.118.2:443 -> 192.168.2.4:49738 version: TLS 1.2

Source:	Binary string: wkernel32.pdb source: svchost.exe, 0000000B.00000003.1789625687.00000000057F0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1789690528.0000000005910000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: svchost.exe, 0000000B.00000003.1790007214.0000000005A10000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1789842064.00000000057F0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: powershell.exe, 00000000.00000002.1786845908.00000000069E0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: svchost.exe, 0000000B.00000003.1787834240.00000000057F0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1788496088.00000000059E0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.1973260532.00000267327B0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.1973101219.00000267325C0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: svchost.exe, 0000000B.00000003.1789056248.00000000057F0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1789443974.0000000005990000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: svchost.exe, 0000000B.00000003.1787834240.00000000057F0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1788496088.00000000059E0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.1973260532.00000267327B0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.1973101219.00000267325C0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: powershell.exe, 00000000.00000002.1786845908.00000000069E0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: svchost.exe, 0000000B.00000003.1789056248.00000000057F0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1789443974.0000000005990000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: chrome_elf.dll.pdb source: chrome.exe, 00000012.00000002.2074551064.00007FFCA130F000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: AvastBrowserUpdate_unsigned.pdb source: AvastBrowserUpdate.exe
Source:	Binary string: wkernelbase.pdbUGP source: svchost.exe, 0000000B.00000003.1790007214.0000000005A10000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1789842064.00000000057F0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: svchost.exe, 0000000B.00000003.1789625687.00000000057F0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1789690528.0000000005910000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: C:\Windows\System32\svchost.exe	Code function: 15_2_00007DF4E0E91618 FindFirstFileW,DeleteFileW,FindNextFileW,RemoveDirectoryW,	15_2_00007DF4E0E91618
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: 24_2_00C5C126 FindFirstFileExW,	24_2_00C5C126
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: 24_2_6D396118 FindFirstFileW,FindClose,FindNextFileW,	24_2_6D396118
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: 24_2_6D3678C0 FindFirstFileW,GetLastError,_wcslen,DeleteFileW,FindNextFileW,GetLastError,FindClose,	24_2_6D3678C0
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: 24_2_6D367A07 GetFileAttributesW,GetLastError,_wcslen,FindFirstFileW,GetLastError,_wcslen,_wcslen,FindNextFileW,FindClose,RemoveDirectoryW,	24_2_6D367A07
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: 24_2_6D369507 FindFirstFileW,FindNextFileW,FindClose,	24_2_6D369507
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: 24_2_6D38944D FindFirstFileW,FindNextFileW,FindClose,	24_2_6D38944D
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: 24_2_6D367789 FindFirstFileW,FindNextFileW,GetLastError,FindClose,	24_2_6D367789
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: 24_2_6D36D6DE FindFirstFileW,FindNextFileW,FindClose,	24_2_6D36D6DE
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: 24_2_6D3A92EE FindFirstFileW,GetLastError,PathStripPathW,PathStripPathW,PathStripPathW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,FindNextFileW,GetLastError,FindClose,	24_2_6D3A92EE

Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe

Code function: 24_2_6D371FC7 GetLogicalDriveStringsW,QueryDosDeviceW,_wcslen,_wcslen,

24_2_6D371FC7

Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Adobe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: C:\Windows\System32\svchost.exe	Code function: 4x nop then dec esp	15_2_00000218A63D0511
Source: C:\Windows\System32\svchost.exe	Code function: 4x nop then dec esp	15_2_00007DF4E0EA25B1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 4x nop then dec esp	18_2_00000267309B25B1
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Code function: 4x nop then dec esp	22_2_0000022ED1F45681

Source: chrome.exe

Memory has grown: Private usage: 3MB later: 26MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 185.147.124.2:5353 -> 192.168.2.4:49728
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 185.147.124.2:5353 -> 192.168.2.4:49736
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 185.147.124.2:5353 -> 192.168.2.4:49737
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 91.240.118.2:443 -> 192.168.2.4:49738

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 185.147.124.2 5353

Source: Joe Sandbox View	IP Address: 194.58.203.20 194.58.203.20
Source: Joe Sandbox View	IP Address: 213.239.239.164 213.239.239.164
Source: Joe Sandbox View	IP Address: 94.198.159.14 94.198.159.14
Source: Joe Sandbox View	IP Address: 169.229.128.134 169.229.128.134

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: caec7ddf6889590d999d7ca1b76373b6

Source: Network traffic	Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 185.147.124.2:5353 -> 192.168.2.4:49736
Source: Network traffic	Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 185.147.124.2:5353 -> 192.168.2.4:49737
Source: Network traffic	Suricata IDS: 2833022 - Severity 1 - ETPRO MALWARE Possible Malicious Second Stage Download with Terse Headers : 172.67.166.76:443 -> 192.168.2.4:49727

Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.2

Source: global traffic	DNS traffic detected: DNS query: usa.trendys.cloud
Source: global traffic	DNS traffic detected: DNS query: ntp1.net.berkeley.edu
Source: global traffic	DNS traffic detected: DNS query: ntp.nict.jp
Source: global traffic	DNS traffic detected: DNS query: x.ns.gin.ntt.net
Source: global traffic	DNS traffic detected: DNS query: ntp.time.nl
Source: global traffic	DNS traffic detected: DNS query: ntp1.hetzner.de
Source: global traffic	DNS traffic detected: DNS query: gbg1.ntp.se
Source: global traffic	DNS traffic detected: DNS query: i.imgur.com

Source: svchost.exe, 0000000F.00000003.2112575910.00000218A6E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:8000/d4a75c5f/4a1b3c1a
Source: svchost.exe, 00000003.00000002.2414013496.00000181D0800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000003.00000003.1207801464.00000181D0A18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 00000003.00000003.1207801464.00000181D0A18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 00000003.00000003.1207801464.00000181D0A18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 00000003.00000003.1207801464.00000181D0A18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000003.00000003.1207801464.00000181D0A18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000003.00000003.1207801464.00000181D0A18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000003.00000003.1207801464.00000181D0A4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000003.00000003.1207801464.00000181D0B07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000000.00000002.1771943733.00000000048C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: svchost.exe, 0000000F.00000003.2092507403.00000218A6CF0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.2092585618.00000218A6CF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.147.124.2:5353/78fc5131525a9e8d335b1/dpa3122v.camha
Source: svchost.exe, 0000000B.00000002.1854363388.000000000370C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2408764622.00000218A63D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://185.147.124.2:5353/78fc5131525a9e8d335b1/dpa3122v.camhakernelbasentdllkernel32GetProcessMiti
Source: svchost.exe, 0000000B.00000002.1847779211.000000000327C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://185.147.124.2:5353/78fc5131525a9e8d335b1/dpa3122v.camhax
Source: svchost.exe, 0000000F.00000003.2088834816.00000218A6F5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: powershell.exe, 00000000.00000002.1771943733.00000000048C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: svchost.exe, 0000000F.00000003.2088834816.00000218A6F5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: svchost.exe, 0000000F.00000003.2088834816.00000218A6F5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: svchost.exe, 0000000F.00000003.2088834816.00000218A6F5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000012.00000002.2074551064.00007FFCA130F000.00000002.00000001.01000000.0000000E.sdmp, AvastBrowserUpdate.exe	String found in binary or memory: https://clients2.google.com/cr/report
Source: AvastBrowserUpdate.exe	String found in binary or memory: https://clients2.google.com/service/check2?crx3=true
Source: AvastBrowserUpdate.exe	String found in binary or memory: https://clients5.google.com/tbproxy/usagestats
Source: svchost.exe, 0000000B.00000003.1807400387.000000000379F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-query
Source: svchost.exe, 0000000B.00000003.1807400387.000000000379F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi
Source: svchost.exe, 0000000F.00000003.2092079890.00000218A6C12000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.2092004550.00000218A6C12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com
Source: svchost.exe, 0000000F.00000003.2092079890.00000218A6C12000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.2092004550.00000218A6C12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com
Source: svchost.exe, 0000000F.00000003.2088834816.00000218A6F5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: svchost.exe, 0000000F.00000003.2088834816.00000218A6F5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: svchost.exe, 0000000F.00000003.2088834816.00000218A6F5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000003.00000003.1207801464.00000181D0AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 00000003.00000003.1207801464.00000181D0AFF000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1207801464.00000181D0A0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000003.00000003.1207801464.00000181D0AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 00000003.00000003.1207801464.00000181D0AA3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1207801464.00000181D0B07000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1207801464.00000181D0AC2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1207801464.00000181D0AF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000003.00000003.1207801464.00000181D0AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: svchost.exe, 0000000F.00000003.2088834816.00000218A6F5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: AvastBrowserUpdate.exe	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: svchost.exe, 00000003.00000003.1207801464.00000181D0AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 00000003.00000003.1207801464.00000181D0A56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: AvastBrowserUpdate.exe	String found in binary or memory: https://update.googleapis.com/service/update2
Source: svchost.exe, 0000000F.00000003.2088834816.00000218A6F5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: svchost.exe, 0000000F.00000003.2088834816.00000218A6F5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: AvastBrowserUpdate.exe	String found in binary or memory: https://www.google.com/support/installer/?

Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: Yara match	File source: 11.3.svchost.exe.57f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.svchost.exe.57f0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.svchost.exe.57f0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.svchost.exe.5a10000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.svchost.exe.5a10000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.1790007214.0000000005A10000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1789842064.00000000057F0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 2132, type: MEMORYSTR

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_06B8F910 NtResumeThread,	0_2_06B8F910
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_06B8F908 NtResumeThread,	0_2_06B8F908
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_00000218A63D15C0 NtAcceptConnectPort,	15_2_00000218A63D15C0
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_00000218A63D1CF4 NtAcceptConnectPort,CloseHandle,	15_2_00000218A63D1CF4
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_00007DF4E0E9F050 NtAcceptConnectPort,	15_2_00007DF4E0E9F050
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_00007DF4E0E9FFDC malloc,RtlDosPathNameToNtPathName_U,NtAcceptConnectPort,NtAcceptConnectPort,free,	15_2_00007DF4E0E9FFDC
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_00007DF4E0E9EFCC NtAcceptConnectPort,	15_2_00007DF4E0E9EFCC
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_00007DF4E0E9EFAC NtAcceptConnectPort,	15_2_00007DF4E0E9EFAC
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_00007DF4E0E9F0B8 NtAcceptConnectPort,	15_2_00007DF4E0E9F0B8
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_00007DF4E0E9F244 NtAcceptConnectPort,	15_2_00007DF4E0E9F244
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_00007DF4E0E9F224 NtAcceptConnectPort,	15_2_00007DF4E0E9F224
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_00007DF4E0EA0188 calloc,NtAcceptConnectPort,free,	15_2_00007DF4E0EA0188
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_00007DF4E0E9F3FC CreateFileMappingW,MapViewOfFile,DuplicateHandle,NtAcceptConnectPort,	15_2_00007DF4E0E9F3FC
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_00007DF4E0E9F76C calloc,DuplicateHandle,NtAcceptConnectPort,free,NtAcceptConnectPort,NtAcceptConnectPort,	15_2_00007DF4E0E9F76C
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_00007DF4E0E9EEF0 NtAcceptConnectPort,	15_2_00007DF4E0E9EEF0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 18_2_00000267309AEF64 NtAcceptConnectPort,	18_2_00000267309AEF64
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 18_2_00000267309AF19C NtAcceptConnectPort,	18_2_00000267309AF19C
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Code function: 22_3_00007DF480F31958 calloc,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtQueryInformationProcess,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,	22_3_00007DF480F31958
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Code function: 22_3_00007DF480F31958 calloc,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtQueryInformationProcess,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,	22_3_00007DF480F31958
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Code function: 22_3_00007DF480F31CE8 calloc,CreateProcessW,NtResumeThread,CloseHandle,free,	22_3_00007DF480F31CE8
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Code function: 22_3_00007DF480F31CE8 calloc,CreateProcessW,NtResumeThread,CloseHandle,free,	22_3_00007DF480F31CE8
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Code function: 22_3_00007DF480F31CE8 calloc,CreateProcessW,NtResumeThread,CloseHandle,free,	22_3_00007DF480F31CE8
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Code function: 22_3_00007DF480F31CE8 calloc,CreateProcessW,NtResumeThread,CloseHandle,free,	22_3_00007DF480F31CE8
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Code function: 22_3_00007DF480F31958 calloc,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtQueryInformationProcess,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,	22_3_00007DF480F31958
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Code function: 22_3_00007DF480F31958 calloc,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtQueryInformationProcess,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,	22_3_00007DF480F31958
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Code function: 22_2_0000022ED1F52FD0 NtAcceptConnectPort,	22_2_0000022ED1F52FD0
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Code function: 22_2_0000022ED1F52FA0 NtAcceptConnectPort,	22_2_0000022ED1F52FA0
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Code function: 22_2_0000022ED1F52F74 NtAcceptConnectPort,	22_2_0000022ED1F52F74
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Code function: 22_2_0000022ED1F52EA0 NtAcceptConnectPort,	22_2_0000022ED1F52EA0
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Code function: 22_2_0000022ED1F530BC NtAcceptConnectPort,	22_2_0000022ED1F530BC
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Code function: 22_2_0000022ED1F53078 NtAcceptConnectPort,	22_2_0000022ED1F53078
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Code function: 22_2_0000022ED1F52C14 NtAcceptConnectPort,	22_2_0000022ED1F52C14
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Code function: 22_2_0000022ED1F5334C NtAcceptConnectPort,	22_2_0000022ED1F5334C
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Code function: 22_2_0000022ED1F52B00 NtAcceptConnectPort,	22_2_0000022ED1F52B00
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Code function: 22_2_00007DF480F42E90 NtQuerySystemInformation,free,malloc,NtQuerySystemInformation,	22_2_00007DF480F42E90
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Code function: 22_2_00007DF480F725D4 NtQuerySystemInformation,NtQuerySystemInformation,	22_2_00007DF480F725D4
Source: C:\Windows\System32\dllhost.exe	Code function: 23_2_000002CE37C53854 NtQuerySystemInformation,	23_2_000002CE37C53854
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: 24_3_7FC6042F NtAllocateVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,	24_3_7FC6042F
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: 24_3_7FC6066F NtProtectVirtualMemory,	24_3_7FC6066F
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: 24_2_010F7FAB NtAllocateVirtualMemory,NtProtectVirtualMemory,	24_2_010F7FAB

Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: String function: 6D362FB3 appears 187 times
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: String function: 6D489AF0 appears 45 times
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: String function: 6D374396 appears 70 times
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: String function: 6D36DC4E appears 45 times
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: String function: 6D49397D appears 43 times
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: String function: 6D36DC24 appears 66 times
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: String function: 6D36589B appears 190 times
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: String function: 6D3F4DE0 appears 45 times
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: String function: 6D365B56 appears 39 times

Source: 0.2.powershell.exe.69e0000.4.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.powershell.exe.69e0000.4.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.powershell.exe.69e0000.4.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.powershell.exe.69e0000.4.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.powershell.exe.69e0000.4.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.powershell.exe.69e0000.4.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.powershell.exe.69e0000.4.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.powershell.exe.69e0000.4.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.powershell.exe.69e0000.4.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.powershell.exe.69e0000.4.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,		24_2_6D377EA9
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,		24_2_6D377B61

Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: 24_2_6D3775C3 StartServiceCtrlDispatcherW,GetLastError,WaitForSingleObject,CloseHandle,		24_2_6D3775C3
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Code function: 24_2_6D377667 StartServiceCtrlDispatcherW,GetLastError,WaitForSingleObject,CloseHandle,		24_2_6D377667

Source: C:\Windows\System32\svchost.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\GS-1-5-21-2246122658-3693405117-2476756634-1002{D19BAF17-7C87-467E-8D63-6C4B1C836373}
Source: C:\Windows\SysWOW64\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-7414dff8-ea62-6e9bec-ac73e80114b7}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5324:64:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Ffycyc

Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Command line argument: kernel32.dll		24_2_00C56A08
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Command line argument: DllEntry		24_2_00C56A08

Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: svchost.exe, 0000000F.00000003.1901555540.00000218AA010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2414088105.00007DF4E0FA1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2413475957.00000218AA3D0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1903727256.00000218AA010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2413648742.00000218AA550000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, chrome.exe, 00000012.00000002.2073722507.0000026730980000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: svchost.exe, 0000000F.00000003.1901555540.00000218AA010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2414088105.00007DF4E0FA1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2413475957.00000218AA3D0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1903727256.00000218AA010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2413648742.00000218AA550000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, chrome.exe, 00000012.00000002.2073722507.0000026730980000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: svchost.exe, 0000000F.00000003.1901555540.00000218AA010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2414088105.00007DF4E0FA1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2413475957.00000218AA3D0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1903727256.00000218AA010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2413648742.00000218AA550000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, chrome.exe, 00000012.00000002.2073722507.0000026730980000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: svchost.exe, 0000000F.00000003.1901555540.00000218AA010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2414088105.00007DF4E0FA1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2413475957.00000218AA3D0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1903727256.00000218AA010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2413648742.00000218AA550000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, chrome.exe, 00000012.00000002.2073722507.0000026730980000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: svchost.exe, 0000000F.00000003.1901555540.00000218AA010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2414088105.00007DF4E0FA1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2413475957.00000218AA3D0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1903727256.00000218AA010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2413648742.00000218AA550000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, chrome.exe, 00000012.00000002.2073722507.0000026730980000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: svchost.exe, 0000000F.00000003.1901555540.00000218AA010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2414088105.00007DF4E0FA1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2413475957.00000218AA3D0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1903727256.00000218AA010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2413648742.00000218AA550000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2073722507.0000026730980000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: svchost.exe, 0000000F.00000003.2089162032.00000218A6E59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.2089226896.00000218A6F59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: svchost.exe, 0000000F.00000003.1901555540.00000218AA010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2414088105.00007DF4E0FA1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2413475957.00000218AA3D0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1903727256.00000218AA010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2413648742.00000218AA550000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, chrome.exe, 00000012.00000002.2073722507.0000026730980000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: AvastBrowserUpdate.exe	String found in binary or memory: /installerdata=
Source: AvastBrowserUpdate.exe	String found in binary or memory: https://www.google.com/support/installer/?
Source: AvastBrowserUpdate.exe	String found in binary or memory: Application update/install

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\1.ps1"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7436 -s 496
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir="C:\Users\user\AppData\Local\Temp\chr2E95.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/d4a75c5f/4a1b3c1a"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2188,i,10742310718371479009,15157293769129927295,262144 --variations-seed-version --mojo-platform-channel-handle=2500 /prefetch:3
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Media Player\wmpshare.exe "C:\Program Files\Windows Media Player\wmpshare.exe"
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir="C:\Users\user\AppData\Local\Temp\chr2E95.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/d4a75c5f/4a1b3c1a"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Media Player\wmpshare.exe "C:\Program Files\Windows Media Player\wmpshare.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2188,i,10742310718371479009,15157293769129927295,262144 --variations-seed-version --mojo-platform-channel-handle=2500 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"	Jump to behavior

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
1.ps1

Source: 0.2.powershell.exe.69e0000.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.powershell.exe.69e0000.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.powershell.exe.69e0000.4.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 15.2.svchost.exe.218a6cbc070.1.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 15.2.svchost.exe.218a6cbc070.1.raw.unpack, Runtime.cs	.Net Code: CoreMain

Source: Yara match	File source: 0.2.powershell.exe.61ab0d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.powershell.exe.616b8e4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.powershell.exe.6118a90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.powershell.exe.61ab0d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1771943733.0000000005A09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7800, type: MEMORYSTR

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_06B835B2 push esp; ret	0_2_06B835B1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_06B835AA push esp; ret	0_2_06B835B1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_06B835F0 pushfd ; ret	0_2_06B835F1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_06B84202 push eax; retf	0_2_06B84209
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_06B83BF6 push es; ret	0_2_06B83C04
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_06B8731D push es; ret	0_2_06B87328
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_06F41112 push eax; retf	0_2_06F41131
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_07064208 pushfd ; retf	0_2_0706420A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_07064216 pushfd ; retf	0_2_07064217
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_0706A028 push ss; iretd	0_2_0706A72A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_0706B85F push ss; iretd	0_2_0706B862
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00B310F9 push FFFFFF82h; iretd	10_2_00B310FB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00B344F9 push edx; retf	10_2_00B344FC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00B328EC push edi; ret	10_2_00B328F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00B32C39 push ecx; ret	10_2_00B32C59
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00B3525D push es; ret	10_2_00B35264
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00B33F89 push edi; iretd	10_2_00B33F96
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00B33FD4 push ss; retf	10_2_00B33FF5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00B321DC push eax; ret	10_2_00B321DD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00B30F6A push eax; ret	10_2_00B30F75
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00B34D5E push esi; ret	10_2_00B34D69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_3_0328296C push edi; ret	11_3_03282978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_3_03281179 push FFFFFF82h; iretd	11_3_0328117B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_3_03284579 push edx; retf	11_3_0328457C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_3_03280FEA push eax; ret	11_3_03280FF5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_3_03284DDE push esi; ret	11_3_03284DE9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_3_03284009 push edi; iretd	11_3_03284016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_3_0328225C push eax; ret	11_3_0328225D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_3_03284054 push ss; retf	11_3_03284075
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_3_03282CB9 push ecx; ret	11_3_03282CD9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_3_032852DD push es; ret	11_3_032852E4

Source: C:\Program Files\Windows Media Player\wmpshare.exe	File created: C:\Users\user\AppData\Roaming\Avt\goopdate.dll			Jump to dropped file
Source: C:\Program Files\Windows Media Player\wmpshare.exe	File created: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe			Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	API/Special instruction interceptor: Address: 7FFCC372D044
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFCC372D044
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 5B4B83A

Source: svchost.exe, 0000000B.00000002.1854363388.0000000003700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: svchost.exe, 0000000B.00000002.1854363388.0000000003700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EVERYWHERE.EXEFIDDLER.EXEIDA.EXEIDA64.EXEIMMU
Source: svchost.exe, 0000000B.00000002.1854363388.0000000003700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: svchost.exe, 0000000B.00000002.1854363388.0000000003700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE
Source: svchost.exe, 0000000B.00000002.1854363388.0000000003700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MP.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEPROCESSHA
Source: svchost.exe, 0000000B.00000002.1854363388.0000000003700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TORUNS.EXEDUMPCAP.EXEDE4
Source: svchost.exe, 0000000B.00000002.1854363388.0000000003700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5242			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4432			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7504	Thread sleep time: -14757395258967632s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8112	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: svchost.exe, 0000000F.00000003.2090493075.00000218A6CE4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkmbolicLinkSymbolicLink
Source: svchost.exe, 0000000B.00000002.1854254504.0000000003669000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSAFD RfComm [Bluetooth]Hyper-V RAWen-USen-GBn
Source: svchost.exe, 0000000F.00000003.2090493075.00000218A6CE4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkLinkcLinkSymbolicLink
Source: svchost.exe, 0000000B.00000003.1789842064.00000000057F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: svchost.exe, 00000003.00000002.2414193823.00000181D085A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2412027728.00000181CB22B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.1848907236.0000000003612000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2409515543.00000218A6413000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000B.00000002.1848907236.0000000003612000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: svchost.exe, 0000000F.00000002.2409515543.00000218A6413000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@ C
Source: svchost.exe, 0000000B.00000003.1789842064.00000000057F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: svchost.exe, 0000000B.00000002.1855883981.00000000038E0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: >=VmcI-
Source: svchost.exe, 0000000F.00000002.2409774124.00000218A642F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWMSAFD RfComm [Bluetooth]RSVP UDP Service Provider